Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_Chau
Contributor

Open ports found on existing and non-existing IPs

Our weekly scans show open ports for devices that have locked down rules.  For example we allow inbound access for https but the external scans show ports TCP 1720, 5060 and 2000.  We are also seeing TCP 1720 on non-existing IPs.  I have used Tenable and NMAP scanners to verify.  Any ideas?

0 Kudos
Reply
4 Replies
Peter_Sandkuijl
Employee
Employee

Any chance you have a VoIP configuration or a remnant thereof? Do the IP addresses at least look familiar? Can you ARP for them?

0 Kudos
Reply
David_Chau
Contributor

No VOIP servers configured on that network that I know of.  For the IPs I know that are live, we have rules that drop that traffic.

0 Kudos
Reply
Juan_Lobera
Contributor

Hi!

Check this SK about the SIP port. How to disable 'fw early SIP nat' chain / SIP inspection 

Regarding H323, try deleting all h323 services on the dashboard (if you are not using voip services) and install policy.

That should do

0 Kudos
Reply
Daniel_Taney
Advisor

@David_Chau We just observed similar behavior after an external scan. I see the thread here kind of died off... did you ever get a definitive answer to account for this behavior?

R80 CCSA / CCSE
0 Kudos
Reply