topic Re: vpnd process running, vpn blade not enabled in Firewall and Security Management

vpnd process running, vpn blade not enabled

David_C1 — Tue, 04 Oct 2022 18:39:30 GMT

A question that has bothered me for some time. I have a gateway (cluster) with FW, IA, ClusterXL, Monitoring, and IPS blades enabled. ps shows the vpnd process running, netstat shows it listening on several VPN specific ports:

I'm looking for an explanation...sk177128 hints that vpnd may be running for Multiportal. pstree really isn't too much help as to what starts it up:

Is there any official sk, documentation, whatever that would explain why/what triggers the use of vpnd? We have compliance requirements to document all required services and listening ports.

Thanks,

Dave

Re: vpnd process running, vpn blade not enabled

Tim_Koopman — Tue, 04 Oct 2022 20:28:57 GMT

Not sure on official documentation but in this case I can say it is because you have Identity Awareness enabled.

Tim

Re: vpnd process running, vpn blade not enabled

Chris_Atkinson — Wed, 05 Oct 2022 03:31:53 GMT

Are you using the "Identity Agent" with Identity Awareness in your environment?

Re: vpnd process running, vpn blade not enabled

Tal_Paz-Fridman — Wed, 05 Oct 2022 10:40:46 GMT

It is related to other Portals:

"As well as establishing Site-to-Site and Remote Access VPN, the VPND process is also responsible for presenting the certificates used for Portals, other the the Platform Portal"

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk109172

Re: vpnd process running, vpn blade not enabled

David_C1 — Wed, 05 Oct 2022 12:25:06 GMT

No, only using Identity Collectors in our environment.

Dave

Re: vpnd process running, vpn blade not enabled

David_C1 — Wed, 05 Oct 2022 12:57:23 GMT

Thanks everyone for the information. Putting some more pieces together, it seems:

1. vpnd is used for Multiportal functionality

2. Multiportal functionality is enabled if a) Identity Awareness is enabled and/or b) the Gaia portal is configured to use 443. I base b) off of a statement in sk115732:

3. I have Identity Awareness enabled on this gateway and 443 is used for the Gaia portal. Even though I am not using captive portal or usercheck on this gateway, Multiportal is enabled, though only one portal configured:

4. If vpnd is running (due to the above circumstances) it will still listen on traditional vpn ports (e.g. TCP 500) even though vpn blade is not enabled (this seems dumb, but is what it is).

Based on this sleuthing (and other similar rabbit holes I have gone down) I'll say Check Point's documentation on services/daemons and network ports used by products has improved, but there's much room for improvement. In the regulatory world that I live in (and I'm guessing many others reading this) we are required to have detailed documentation of running processes/services and network listening ports on critical systems. If there were better documentation around this, it would have saved me a lot of time.

Dave

Re: vpnd process running, vpn blade not enabled

David_C1 — Wed, 05 Oct 2022 13:16:35 GMT

Adding a little more information - I examined another gateway that only has FW and Monitoring blades enabled (no IA). 443 is used for the Gaia portal. Multiportal is running, but the vpnd process is not:

Based on this I'd say that the vpnd process will run only if IA is running. Multiportal running is not sufficient for vpnd to be started.

Dave