topic Re: block port 443 and 80 and 18264 on checkpoint external firewall in Firewall and Security Management

block port 443 and 80 and 18264 on checkpoint external firewall

Ana_11 — Sat, 28 Mar 2020 11:23:07 GMT

Can someone tell how to block port 443. port 80.port 18264 on external interface of checkpoint firewall

Re: block port 443 and 80 and 18264 on checkpoint external firewall

Vladimir — Sat, 28 Mar 2020 13:14:21 GMT

You'd have to change the management port in Gaia, individual default portal ports in the properties of the gateway, manually define explicit rules for management access on top of your security policy, change Global Properties properties by disabling Implied Rules pertaining to management.

After it is done, implement NAT to Null IP as per @HeikoAnkenbrand answer in this post: https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/How-to-disable-Gaia-access-from-the-Internet/td-p/8227

Cheers,

Vladimir

Re: block port 443 and 80 and 18264 on checkpoint external firewall

PhoneBoy — Sat, 28 Mar 2020 19:47:52 GMT

If you have any VPNs (client or site-to-site) or gateways that you manage from the Internet, you cannot disable TCP 18264 (used for certificate revocation) and expect that to continue working.
HTTPS is used for Visitor Mode on Client-to-Site VPNs and for clients to obtain their initial configuration, thus this may break some clients ability to use VPN.
HTTP mostly just redirects to HTTPS but it should be blocked if you put in an explicit rule to do so.

Re: block port 443 and 80 and 18264 on checkpoint external firewall

HeikoAnkenbrand — Sat, 28 Mar 2020 20:33:01 GMT

Hi @Ana_11;

THX to @Vladimir

Here the solution: Add an static NAT rule and NAT it to null IP:-)

src: internet
dst: portal ip
port: portal port
NAT src: internet
NAT dst: static NAT to null IP for example 127.0.0.99
NAT port: portal port

Re: block port 443 and 80 and 18264 on checkpoint external firewall

ham2065 — Wed, 21 Sep 2022 05:24:39 GMT

I have this issue as well (http/https open on external interface gateways). We used to use Mobile Access but I disabled the Mobile Access blade about a year ago and afaik have no use any Multi Portal functions on the external interface.

I found this article sk155512 -

How to determine which portal is causing MultiPortal to respond on external interface

Is this relevant in this case? The article states - "MultiPortal creates an implied rule and accepts traffic on port 443 or port 80 if a portal is set to be accessible from All Interfaces. This setting might persist even if the blade was later disabled. This can be changed in the following manner:"

The article is very vague with instruction such as - 5. Change the setting accordingly. I tried to follow the article along in GuiDBedit but could not work out what to do.

A while back I opened a support ticket with Checkpoint but got nowhere with it.

Re: block port 443 and 80 and 18264 on checkpoint external firewall

PhoneBoy — Thu, 22 Sep 2022 14:40:09 GMT

If you're talking about ports 80/443 to the gateway itself, MultiPortal is definitely involved.
Screenshots of where precisely you're confused might help.

Re: block port 443 and 80 and 18264 on checkpoint external firewall

Nazarii_Makohin — Thu, 09 Feb 2023 19:54:05 GMT

Mode of God:)

Very nice idea.

Re: block port 443 and 80 and 18264 on checkpoint external firewall

Ilovecheckpoint — Fri, 15 Dec 2023 17:42:26 GMT

Hello,

My device is listening on port 80 and 443 from Internet, inven if netstat -nat do not show it.

Accessibility is configured to "According to the firewall policy".

Rules are set to allow only specific ip addresses, so it should be blocked.

Mobile access blade is not active.

Firewall log do not see my tests ( by I see all attacks which are drop) and it logs all implicit and explicit rules.

Telnet to port 80 and 443 show they are open, but connection to Gaia is reset.

Any idea why?

Re: block port 443 and 80 and 18264 on checkpoint external firewall

PhoneBoy — Fri, 15 Dec 2023 21:34:51 GMT

Have you tried: https://support.checkpoint.com/results/sk/sk165937