topic Re: Changing ssh port on CP firewall in Firewall and Security Management

Changing ssh port on CP firewall

the_rock — Tue, 25 Aug 2020 15:17:34 GMT

I know this may sound like a really dumb question, but is there any way to change ssh port for CP appliances (NOT smb)? I tried looking in clish, web gui, cant find the option anywhere. I even "combed: through whole clish config, nothing for ssh there.

Thanks in advance!

Re: Changing ssh port on CP firewall

Danny — Tue, 25 Aug 2020 15:29:57 GMT

vi /etc/ssh/sshd_config && /etc/init.d/sshd restart

Re: Changing ssh port on CP firewall

the_rock — Tue, 25 Aug 2020 15:39:58 GMT

Thanks Danny. tried that, no luck. All I did was vi the file, change port 22 to something random, restarted ssh service, but it still connected on port 22.

Re: Changing ssh port on CP firewall

asc — Tue, 25 Aug 2020 15:41:05 GMT

As there are no means to configure that on clish or web gui you may just edit /etc/ssh/sshd_config

Uncomment the "Port" directive and change the port number to what you want. Activate the change by service sshd restart.

Take care: Update your rulebase to allow the new port before changing to avoid getting locked out!

Re: Changing ssh port on CP firewall

G_W_Albrecht — Tue, 25 Aug 2020 15:56:47 GMT

Original:

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented. Uncommented options change a

# default value.

#Port 22

#Protocol 2,1

Protocol 2

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

Change to:

# default value.

Port <something random>

#Port 22

#Protocol 2,1

Protocol 2

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

Re: Changing ssh port on CP firewall

the_rock — Tue, 25 Aug 2020 16:23:30 GMT

K, not really sure what Im missing...

#Port 777
#Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Re: Changing ssh port on CP firewall

Mike_A — Tue, 25 Aug 2020 16:54:03 GMT

Remove the "#" in front of the line that pertains to the port.

From this

#Port 777
#Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

To this

Port 777
#Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

And then restart services as Danny had said.

Re: Changing ssh port on CP firewall

the_rock — Tue, 25 Aug 2020 16:55:50 GMT

That was actually first thing I tried, but did not work. Let me just reboot this fw, since its in the lab anyway, and I will update after 🙂

Re: Changing ssh port on CP firewall

the_rock — Tue, 25 Aug 2020 17:05:25 GMT

Thanks everyone, reboot worked! take care and thanks for the help!!

Re: Changing ssh port on CP firewall

G_W_Albrecht — Thu, 27 Aug 2020 07:39:30 GMT

# set admin-access

allowed-ipv4-addresses - Administrator access permissions policy for source IP addresses

ssh-access-port - SSH Port

support-weak-tls-version - For security reasons, it is highly recommended never to change this parameter's value. Support of TLSv1.0 will be added back to the administration portal to allow connectivity with old browsers (usually ones released prior to 2014). Changing the default of this parameter exposes the administration portal to attacks that use vulnerabilities like Heartbleed (CVE-2014-0160).

web-access-port - Web Port (HTTPS)

interfaces - Configure which interfaces admin access is allowed from

Re: Changing ssh port on CP firewall

John_Fleming — Thu, 27 Aug 2020 14:11:47 GMT

That is only for Gaia Embedded (smb).

Re: Changing ssh port on CP firewall

the_rock — Thu, 27 Aug 2020 14:37:16 GMT

Correct John...by the way, I ended up changing sshd_config and after reboot, it all worked fine. Not really sure why I had to reboot, since ssh service restart would be sufficient, but anyway. Its Check Point :)))

Re: Changing ssh port on CP firewall

John_Fleming — Thu, 27 Aug 2020 16:05:44 GMT

This is a R80.40 MDS.

[Expert@MDS1:0]# netstat -anp | grep sshd | grep LIST
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 5310/sshd
[Expert@MDS1:0]# sed -i 's,^#Port 22$,Port 2222,' /etc/ssh/sshd_config
[Expert@MDS1:0]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[Expert@MDS1:0]# netstat -anp | grep sshd | grep LIST
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 25930/sshd
[Expert@MDS1:0]#

Looks like no reboot required?

Re: Changing ssh port on CP firewall

ShemHunter — Tue, 24 Mar 2026 13:57:15 GMT

Hi John,

I'm trying it on 80.40, I don't think anything depends on the version, a reboot is not necessary, but even if a reboot occurs, everything is automatically commented out. And I will again be able to connect via port 22 and not via the port I specified earlier before the reboot.

Re: Changing ssh port on CP firewall

Steffen_Appel — Tue, 24 Mar 2026 14:42:08 GMT

Which fw version are you on, only newer ones use systemctl, older ones need /etc/init.d/sshd stop/start

Re: Changing ssh port on CP firewall

Steffen_Appel — Tue, 24 Mar 2026 14:43:12 GMT

try to change the file and then issue

/etc/init.d sshd stop

/etc/init.d sshd start