Next Generation Firewall (NGFW)

Expand all | Collapse all

Anticipated TCP 3 handshake

Jump to Best Answer
  • 1.  Anticipated TCP 3 handshake

    Posted Nov 18, 2019 01:33 PM
    Hello Guys;

    This is my first post (so please don't be too hard on me)

    We noticed a strange behavior with our FORTIGATE 100 E when trying to a NMAP to an external server outside our network.

    It's seems that the FORTIGATE do  a TCP 3 way handshake with our internal PC  (inside our LAN) before sending the packet to the external server (and in this case the external server respond with a RST or doing the real 3 way handshake with the FORTIGATE)

    we have this kind of behaviour when we scan TCP/2000 

    We suspect the PROXY MODE and also the session helper, 

    Did someone have any idea ??


  • 2.  RE: Anticipated TCP 3 handshake
    Best Answer

    Posted Nov 18, 2019 03:44 PM

    This is an expected behavior on any FireWall  when you do NMAP scan on TCP/2000 which is a SCCP port

    TCP port 2000 as Skinny Client Call protocol (SCCP) traffic. SCCP is a Cisco proprietary protocol for VoIP.

    So we do not recommend to do NMAP test on ports like(SCCP/SIP)  TCP 2000, TCP 5060, 5061

    Technical Note: FortiGate is not forwarding TCP ports 5060, 5061 and 2000


    Technical Note: Disabling VoIP Inspection


  • 3.  RE: Anticipated TCP 3 handshake

    Posted Nov 20, 2019 01:48 PM
    Thanks Vinay