topic Re: port 2000 and NMAP in General Topics

port 2000 and NMAP

Mat_FA — Thu, 24 Mar 2016 16:20:37 GMT

I'm having an issue where any traffic through palo alto using destination port 2000 will create a tcp handshake and no more traffic will pass. I've talked to support and no traffic is being dropped by the firewall. i've added a rule to allow tcp 2000 as a service so it shouldn't be doing anything with the appid and no difference in behavior.

Another odd thing i see is that if i nmap any host (existing or not) through the firewall tcp ports 2000 and 5060 show open. I'm assuming this is related.

nmap X.X.X.X -PN

Starting Nmap 5.21 ( http://nmap.org ) at 2016-03-24 11:19 CDT
Nmap scan report for X.X.X.X
Host is up (0.00044s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
113/tcp closed auth
2000/tcp open cisco-sccp
5060/tcp open sip

Nmap done: 1 IP address (1 host up) scanned in 6.58 seconds

Re: port 2000 and NMAP

BenjAudy.MTL — Thu, 24 Mar 2016 17:46:16 GMT

Hi,

What is the traffic end reason in the traffic logs? Which application is recognized, again in the traffic logs? Which applications did you allow in the corresponding rule?

Benjamin

Re: port 2000 and NMAP

Mat_FA — Thu, 24 Mar 2016 18:12:33 GMT

traffic end is ussually tcp-fin. Application is alwysa incomplete. rule allows any application and application default for service. i've also tried to do it with any application and tcp 2000 defined as the service. I should probably mention this is a messaging service that's been programmed to use port 2000 so it's not sccp (the normal expected app for 2000)

Re: port 2000 and NMAP

BenjAudy.MTL — Thu, 24 Mar 2016 21:25:21 GMT

As far as I know, the firewall cannot set the FIN flag on the TCP packets, so it must come from the server or appliance you're connecting to. My guess is that there must be something blocking the connection at the application level on the server end. If there was something blocking at a lower level (e.g. Windows firewall), NMAP would not say the port is open.

Regards,

Benjamin

Re: port 2000 and NMAP

Raido_Rattameister — Fri, 25 Mar 2016 05:23:49 GMT

Application incomplete means that TCP 3-way handshake did not complete.

I suggest to take packet capture on the firewall (under Monitor tab) and verify if you see all syn, syn ack and ack going by and who sends tcp fin.

Re: port 2000 and NMAP

Mat_FA — Fri, 25 Mar 2016 15:08:14 GMT

It's definitly not an issue on the server. same subnet traffic connects just fine. it's only through the firewall. tcp handshake shows 3 way. but let's take that example out of the question.

i have 2 zones a trust and a DMZ the rule is to allow all from trust to dmz any application any service. If i scan that subnet it shows 2000 open on every single ip in that subnet if a host exists or not.

if i telnet to that port on a host that doesn't even exist. i get a connection. nothing in arp table for this ip or anything.

mabernathy@plnasops:~$ telnet x.x.x.x 2000
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.

^C^C^C^]

telnet> quit

the traffic logs on this traffic shows aged-out.