port 2000 and NMAP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

port 2000 and NMAP

L1 Bithead

I'm having an issue where any traffic through palo alto using destination port 2000 will create a tcp handshake and no more traffic will pass. I've talked to support and no traffic is being dropped by the firewall. i've added a rule to allow tcp 2000 as a service so it shouldn't be doing anything with the appid and no difference in behavior.

 

Another odd thing i see is that if i nmap any host (existing or not) through the firewall tcp ports 2000 and 5060 show open. I'm assuming this is related. 

 

nmap X.X.X.X -PN

Starting Nmap 5.21 ( http://nmap.org ) at 2016-03-24 11:19 CDT
Nmap scan report for X.X.X.X
Host is up (0.00044s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
113/tcp closed auth
2000/tcp open cisco-sccp
5060/tcp open sip

Nmap done: 1 IP address (1 host up) scanned in 6.58 seconds

5 REPLIES 5

L4 Transporter

Hi,

 

What is the traffic end reason in the traffic logs? Which application is recognized, again in the traffic logs? Which applications did you allow in the corresponding rule?

 

Benjamin

traffic end is ussually tcp-fin. Application is alwysa incomplete. rule allows any application and application default for service. i've also tried to do it with any application and tcp 2000 defined as the service. I should probably mention this is a messaging service that's been programmed to use port 2000 so it's not sccp (the normal expected app for 2000)

As far as I know, the firewall cannot set the FIN flag on the TCP packets, so it must come from the server or appliance you're connecting to. My guess is that there must be something blocking the connection at the application level on the server end. If there was something blocking at a lower level (e.g. Windows firewall), NMAP would not say the port is open.

 

Regards,

 

Benjamin

Application incomplete means that TCP 3-way handshake did not complete.

I suggest to take packet capture on the firewall (under Monitor tab) and verify if you see all syn, syn ack and ack going by and who sends tcp fin.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

It's definitly not an issue on the server. same subnet traffic connects just fine. it's only through the firewall. tcp handshake shows 3 way. but let's take that example out of the question. 

 

i have 2 zones a trust and a DMZ the rule is to allow all from trust to dmz any application any service. If i scan that subnet it shows 2000 open on every single ip in that subnet if a host exists or not.

 

if i telnet to that port on a host that doesn't even exist. i get a connection. nothing in arp table for this ip or anything.

 

mabernathy@plnasops:~$ telnet x.x.x.x 2000
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.


^C^C^C^]

telnet> quit

 

the traffic logs on this traffic shows aged-out.

  • 6197 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!