Thread Info
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 2705 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Scan - Open Ports

Lee Tansey

I manage two Sophos SG firewalls (SG115w and SG210) at two different sites and have recently started conducting external port scans on both. The scan reports show that TCP port 2000 and 5060 are open on one of the firewalls and are closed on the other, however having compared their configurations I believe that they are both identical.

Both firewalls are running the most current available firmware version and VoIP and H323 protocol support are disabled within the WebAdmin console on both. Are there any other settings that I may have overlooked on one of the firewalls that can result in these two ports remaining open?

Kind regards,

Lee.



This thread was automatically locked due to age.

  • Hi Lee and welcome to the UTM Community!

    5060 is SIP - does the site with that open use VoIP?  2000 is a different story - have you looked at the "Automatic firewall rules" to see if there's a NAT or other rule letting that in?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA

  • Hi Bob and thank you for the welcome!

    We do have a VoIP system however the external interface of the Session Border Controller connects to a FortiNet gateway supplied by our telecoms and broadband provider. The Sophos UTM connects separately to the FortiNet gateway to route externally. VoIP traffic therefore does not pass through the UTM, and no consideration has been made to support VoIP traffic in its configuration.

    The port scan probes the IP addresses assigned to both the gateway and the UTM, however the report shows that the open ports are associated with the UTM and not the gateway. Is there any possibility that the gateway is skewing the results?

    I have also checked the automatic firewall rules. There are three automatically created rules on both devices that are identical to support an IPSec site-to-site connection (2 rules) and an SSL remote access profile for radius users (1 rule). As the automatic firewall rules are the same on both devices it's likely that these are not the reason for the open ports.

    Regards,

    Lee.

  • in reply to Lee Tansey

         "Is there any possibility that the gateway is skewing the results?"

    I bet you hit on the issue, Lee!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Thanks Bob. Would it be difficult to ascertain for sure whether the supplied gateway is causing the port scan to falsely identify the UTM as having the open ports? It would be good if there was a way I could perform a definative test without involving the telecoms provider to make changes to their equipment that would interrupt our services.

Unfiltered HTML