Have a Question?
Print

KB – FortiGate VPN Identifies TCP Port 2000 as SCP Traffic

Description:

FortiGate VPN software incorrectly identifies traffic on TCP port 2000 as SCP (Secure Copy Protocol) traffic and applies deep packet inspection or protocol-specific handling that mangles BBj’s proprietary protocol packets on this port.

Symptoms
  • Application connections on TCP port 2000, such as Replication or Data Server, fail or behave unexpectedly when routed through FortiGate VPN
  • Packet corruption or modification observed in network captures
  • Connection timeouts or unexpected disconnections

Root Cause: FortiGate firewalls maintain an internal service database that associates TCP port 2000 with SCP traffic. When the VPN software encounters traffic on this port, it applies SCP-specific processing, including:

  • Deep packet inspection expecting SCP protocol format
  • Protocol-specific filtering or modification
  • Security policies designed for SCP traffic

This causes issues for applications using proprietary protocols on the same port, as the FortiGate device attempts to parse and potentially modify the packet contents based on incorrect protocol assumptions.

Solution:  The most straightforward solution is to configure BBjServices on the affected server to use port 2200 instead of 2000 for the File System Server:

Enterprise Manager → BBjServices → Servers

Select Filesystem/Enterprise Namespace Server

Change the port from 2000 to 2200. 

Click Save.

* A restart of BBjServices is required to complete the change.

Table of Contents
Scroll to Top