topic Re: Need to close port 80 and 443 on external interface in Firewall and Security Management

Need to close port 80 and 443 on external interface

Tony_Graham — Tue, 03 Mar 2026 17:53:33 GMT

Recently updated to R82 JHF 60 and now we have port 80 and 443 admin connections open to our gateway. We do not know why that is occurring as we have made no changes other than applying the JHF. We have a stealth rule for our gateway external interfaces which drop all inbound connections to it. We do not use VPN's or any other remote access technology. We assume there is some implied rule that is creating the behavior but are not sure which one it could be. Any assistance appreciated before we go to TAC.

Looking in the logs we find Access Rule Name: Implied Rule

Access Rule Number: 0

There is no Rule 0 configured.

The most likely rule is 'Accept Web and SSH connections for Gateway Administration' under implied rules but unchecking that makes no difference.

Re: Need to close port 80 and 443 on external interface

CaseyB — Tue, 03 Mar 2026 18:10:41 GMT

I would check these gateway settings:

Re: Need to close port 80 and 443 on external interface

the_rock — Tue, 03 Mar 2026 18:15:48 GMT

Hey Tony,

See if this post I made while ago is relevant to your situation.

https://community.checkpoint.com/t5/SASE-and-Remote-Access/Geo-VPN-blocking/m-p/214040#M10593

Re: Need to close port 80 and 443 on external interface

Tony_Graham — Tue, 03 Mar 2026 18:16:38 GMT

It is set to internal only.

Re: Need to close port 80 and 443 on external interface

Tony_Graham — Tue, 03 Mar 2026 18:21:58 GMT

I have been tinkering with sk165937

I was able to close port 80 using:

multi_portal_allow_redirect 0 but it is not truly disabled, just closed so it will still respond to a port scan.

Editing implied_rules.def and commenting out ENABLE_PORTAL_HTTP_REDIRECT has no effect (the SK is actually for R81 series)

I have pushed policy after making changes.

Re: Need to close port 80 and 443 on external interface

Tony_Graham — Tue, 03 Mar 2026 18:33:08 GMT

I found some notes on the last time this happened with R82. I will post them here.

Not sure who I was conversing with at the time.

To close 80 and 443 after update

Another possible method is enabling the parameter fw_ignore_before_drop_rules.
What this does is makes it so that your rulebase takes priority over the implied rules for the http portal services.

You can check the current value by running:
fw ctl get int fw_ignore_before_drop_rules

If it is at 0 (default value) then the feature is currently disabled.

If you want to enable it, you can run:
fw ctl set int fw_ignore_before_drop_rules 1

On the management server edit implied_rules.def in /opt/CPSuite82/fw1/lib set to end of rule to drop.

#define multiportal_real_ports_block_in \
start_rule_code(MAKE_RULENUM(0,0x62)), \
tcp, ((inbound, (IS_MY_IPADDR(dst) or IS_LOCAL_CLUSTER_IP(dst)))), \
(dport in multiportal_real_ports) or (dport = 8880) or (dport = 444) or (dport = 8082), IMPLIED_LOG, drop;

push policy access control via smart console.

I spoke with RnD and in turns out there was newly added feature in R82.

By adding this line into the $FWDIR/conf/user.def.FW1 file, you are able to change *all* implied rules that originally rejected into drops instead.

#define ENABLE_DROP_INSTEAD_OF_REJECT

Example of it being in my file:
#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code
//

#define ENABLE_DROP_INSTEAD_OF_REJECT

#endif /* __user_def__ */

I will add an SK in the future to document this procedure. (again I do not know who this was.)

Re: Need to close port 80 and 443 on external interface

the_rock — Tue, 03 Mar 2026 18:46:05 GMT

K, excellent!