Next Generation Firewall (NGFW)

Expand all | Collapse all

Anticipated TCP 3 handshake

Jump to Best Answer
  • 1.  Anticipated TCP 3 handshake

    Posted Nov 18, 2019 01:33 PM
    Hello Guys;

    This is my first post (so please don't be too hard on me)

    We noticed a strange behavior with our FORTIGATE 100 E when trying to a NMAP to an external server outside our network.

    It's seems that the FORTIGATE do  a TCP 3 way handshake with our internal PC  (inside our LAN) before sending the packet to the external server (and in this case the external server respond with a RST or doing the real 3 way handshake with the FORTIGATE)

    we have this kind of behaviour when we scan TCP/2000 

    We suspect the PROXY MODE and also the session helper, 

    Did someone have any idea ??

    Regards,


  • 2.  RE: Anticipated TCP 3 handshake
    Best Answer

    Posted Nov 18, 2019 03:44 PM
    Hi,

    This is an expected behavior on any FireWall  when you do NMAP scan on TCP/2000 which is a SCCP port

    TCP port 2000 as Skinny Client Call protocol (SCCP) traffic. SCCP is a Cisco proprietary protocol for VoIP.

    So we do not recommend to do NMAP test on ports like(SCCP/SIP)  TCP 2000, TCP 5060, 5061




    Technical Note: FortiGate is not forwarding TCP ports 5060, 5061 and 2000

    https://kb.fortinet.com/kb/documentLink.do?externalID=FD36152

     

    Technical Note: Disabling VoIP Inspection

    https://kb.fortinet.com/kb/viewContent.do?externalId=FD36405&sliceId=1

     
    Thanks,
    Vinay




  • 3.  RE: Anticipated TCP 3 handshake

    Posted Nov 20, 2019 01:48 PM
    Hello,
    Thanks Vinay