topic Re: Port 444 SSL Extender in Firewall and Security Management

Port 444 SSL Extender

Tony_Graham — Mon, 10 Jan 2022 18:59:18 GMT

All,

I just updated from R80.40 to R81 so I did a follow up external port scan (GRC shields Up) to see if everything looked as

expected. It picked up on port 444 stating it is 'closed'. All other ports are 'stealth'.

I remember in the past this happening and I was able to disable a service and get it back to 'stealth'.

The current 'closed' port has to do with SSL Extender VPN. We do not use VPN in any capacity and therefore

it is not used. If I check the gateway settings the only blades I have active are Firewall and Anti-SPAM & Email Security.

Any ideas on what clicky box I need to find to get back to full stealth?

Thanks!

Re: Port 444 SSL Extender

the_rock — Mon, 10 Jan 2022 19:27:15 GMT

Thats a bit odd, if you dont even have the blade enabled. Hm...let me look into that for you.

Andy

Re: Port 444 SSL Extender

G_W_Albrecht — Tue, 11 Jan 2022 11:24:36 GMT

Port 443 would have been used by SSL VPN and Visitor Mode as well as by IA blades Browser Auth and TS Agent - but port 444 is not used by CP at all...

Re: Port 444 SSL Extender

HeikoAnkenbrand — Tue, 11 Jan 2022 11:46:26 GMT

Hi @Tony_Graham

Check which process is running on the port:
netstat -tulpn | grep ":444"

Now the process and the process ID should be output at the last position.
Depending on the process, you decide what needs to be disabled.

Furthermore, this should not be a problem if there is a stealth rule on the firewall that prevents access to port 444.

Re: Port 444 SSL Extender

the_rock — Tue, 11 Jan 2022 13:17:30 GMT

Guys are definitely right, port 444 would not even be used by the firewall.

Re: Port 444 SSL Extender

K_montalvo — Tue, 11 Jan 2022 13:28:58 GMT

Hello Tony,

You sure you are scanning the correct IP Address? Port 444 could just be an snpp protocol or something else. As other comments on this post you can verify in the FW CLI for netstat or do a pgrep 444 or ps aux | grep 444 and confirm if is running any PID, if you can to kill process use kill and (PID)

Thanks,

Re: Port 444 SSL Extender

Chris_Atkinson — Tue, 11 Jan 2022 13:34:40 GMT

Have you performed visitor mode customizations historically like those referenced in sk111974?

Re: Port 444 SSL Extender

Tony_Graham — Tue, 11 Jan 2022 15:00:42 GMT

netstat -tulpn | grep ":444"

returns nothing of value.

There is a stealth rule in place so I assume if it something in Global that is overriding it.

Re: Port 444 SSL Extender

Tony_Graham — Tue, 11 Jan 2022 15:01:29 GMT

As it is a Sandblast appliance there is no other product installed on it.

Re: Port 444 SSL Extender

Tony_Graham — Tue, 11 Jan 2022 15:05:18 GMT

GRC does an autodetect to determine the originating IP for the scan which is my external gateway.

I have confirmed this. There are no running PIDs on that port that I can find.

Re: Port 444 SSL Extender

Tony_Graham — Tue, 11 Jan 2022 15:15:24 GMT

You may have jogged a spider web out of my mind. In the past when this port popped up it had something to do with an external CP control connection in Global Properties. I don't recall which one needed to be unticked to stealth 444 but one of them does. I think it's an error that 444 isn't used. It might not be used but something exposes it and there is a clicky bit to turn it back off.

Re: Port 444 SSL Extender

the_rock — Tue, 11 Jan 2022 15:41:38 GMT

What @Chris_Atkinson said makes sense. That came to my mind as well...check implied_rules.def on mgmt server, as well as under gateway object -> vpn clients -> remote access -> support visitor mode...what port is listed there?

Andy

Re: Port 444 SSL Extender

Tony_Graham — Tue, 11 Jan 2022 16:58:47 GMT

Well that's the trick. I cannot check gateway object --> vpn clients because there is not a menu for that.

R81. Inside implied_rules.def on mgmt server I see a line under

#define multiportal_real_ports_block_in

(dport in multiportal_real_ports) or (dport = 8880) or (dport =444) or (dport = 8802), IMPLIED_LOG, reject;

So something does monkey with 444. I think I'll contact TAC about it so they know the port is getting set as enabled but closed for some reason.

**UPDATE** The stealth rule does not block the 444 port.

Re: Port 444 SSL Extender

Wolfgang — Tue, 11 Jan 2022 17:52:32 GMT

Have a look Remote Access with Visitor Mode set to use TCP port 444 no longer works after upgrading to R77.30

something was changed from default…

Re: Port 444 SSL Extender

Tony_Graham — Tue, 11 Jan 2022 18:00:23 GMT

Yes. I have been through that SK. I do not wish to enable remote access.

I could change (dport in multiportal_real_ports) or (dport = 8880) or (dport =444) or (dport = 8802), IMPLIED_LOG, reject;

to 'drop' from 'reject' but not sure what consequences/side-effects that would have for the other ports 8880 or 8802.

Re: Port 444 SSL Extender

Tony_Graham — Tue, 11 Jan 2022 18:13:53 GMT

Also note I have gone through the Smart Console Policy editor and viewed the Implied Rules.

There are no references to 444, 8802 or 8880 in the implied rules. Not sure why they are in implied_rules.def.

I also have no service objects for those ports in my policy editor so maybe it is cruft from an upgrade that can be removed. Beyond my pay grade at this point. Have to wait and see what TAC says.

Re: Port 444 SSL Extender

HeikoAnkenbrand — Tue, 11 Jan 2022 18:20:35 GMT

Do you defined a static NAT rule for port 444?

Re: Port 444 SSL Extender

the_rock — Tue, 11 Jan 2022 18:21:17 GMT

I would hate to advise anyone to change that file (implied_rules.def), BUT...one thing you could try is make a copy and modify that line with port 444, verify, apply policy and re-run the test again.

Re: Port 444 SSL Extender

Tony_Graham — Tue, 11 Jan 2022 18:30:38 GMT

No I have never used 444 for anything.

Re: Port 444 SSL Extender

Tony_Graham — Tue, 11 Jan 2022 18:36:43 GMT

"I would hate to advise anyone to change that file (implied_rules.def), BUT..", you just did LOL.

I was confident enough to give it a whirl as I was leaning that way myself.

By the way it worked. 444 is now stealthed again. I changed the line from 'reject' to 'drop'.

I don't know why I remember having to do this awhile back for the same reason. According to sk92281 this file

gets overwritten during upgrades so if I had made the change in the past it would have gotten zapped during my move to R81 last Friday. Still don't know why these entries in implied_rules.def are appearing to begin with.