topic Re: To block 18264 on CheckPoint External Firewall in Firewall and Security Management

To block 18264 on CheckPoint External Firewall

Bruce_Lee — Sat, 23 Jan 2021 04:54:02 GMT

Hi All,

Need your guy's advice on how to block port 18264 on external interface of checkpoint firewall access.
As CheckPoint Support not recommended to disabled the "Accept Control Connection", it will blocking traffic on this port can impact Firewall SMS communication, and VPN authentication among other services.

Understand that after disabled the "Accept Control Connection", we can create explicit rules to control the traffic.

It will need a lot of effort on explicit rules since our SMS having more than 10 gateways.

Is there an alternative way to block port 18264 ?

We had tried below solution, however, it's still accessible to port 18264 on external interface

- Add an static NAT rule and NAT it to null IP (Implied rule goes first, so NATing is not working)
https://community.checkpoint.com/t5/General-Topics/block-port-443-and-80-and-18264-on-checkpoint-external-firewall/td-p/80059

- Manually change the implied_rule.def

-> //#define ENABLE_PORTAL_HTTP_REDIRECT in implied ruleshttps://community.checkpoint.com/t5/Security-Gateways/How-to-disable-Gaia-access-from-the-Internet/td-p/8227

-Modified the implied_rule.def
Change it to: // #define ENABLE_FW1_ICA_SERVICES
(add // before #)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk35292

Kindly adsie on this.

Thank you

Re: To block 18264 on CheckPoint External Firewall

PhoneBoy — Sat, 23 Jan 2021 06:48:47 GMT

What is the version of gateway and management in question?
Note if the gateway and management are different versions, you may have to apply this fix in multiple locations (i.e. in the various backward compatibility directories).

Re: To block 18264 on CheckPoint External Firewall

the_rock — Sun, 24 Jan 2021 04:16:00 GMT

Personally, I would NEVER modify implied rules, thats a big security issue, at least for me. Also, how are you testing that access? via telnet or some other way? I would really like to see it for myself on the remote session if you are up for that, so you can show me exactly how this is configured.

Let me know.

Andy

Re: To block 18264 on CheckPoint External Firewall

SangJun — Wed, 03 Feb 2021 06:23:54 GMT

I referred to sk105719 and blocked the 18264 port with /* */. (from implied_rule.def)
/* #define ENABLE_FW1_ICA_SERVICES */

If the version of the management server and gateway is different, refer to sk92281.
Blocking it is not recommended if you are using a VPN.

Re: To block 18264 on CheckPoint External Firewall

charles-corbin — Thu, 01 Dec 2022 14:38:44 GMT

Do you know if this is permanent point to point VPNs or the VPNs used on Checkpoint client connections on laptops?

Thanks in advance.

Re: To block 18264 on CheckPoint External Firewall

PhoneBoy — Thu, 01 Dec 2022 15:18:40 GMT

It applies to both.

Re: To block 18264 on CheckPoint External Firewall

RBP — Tue, 15 Aug 2023 04:54:54 GMT

Apart from disabling the implied rule. Is there any alternative way for blocking the 18264 port for being accept through implied rule. Can we stop the service. (cpca_client set_ca_services off)

Re: To block 18264 on CheckPoint External Firewall

PhoneBoy — Tue, 15 Aug 2023 21:27:08 GMT

This is a required service and leaving it stopped will cause anything involving SIC and/or VPNs to eventually break.
Modifying implied rules is one option, another is to use fw samp to block the relevant traffic on each gateway, which are enforced before Implied Rules.
A command like the following will need to be executed on all relevant gateways: fwaccel dos rate add -a d destination cidr:x.y.z.w/32 service 6/18264
This will block all traffic to the IP address x.y.z.w on TCP port 18264.
More details/specifics here: https://support.checkpoint.com/results/sk/sk112454

Re: To block 18264 on CheckPoint External Firewall

Sergei_Shir — Tue, 21 Nov 2023 09:24:34 GMT

sk35292 is not avalaible anymore.

Refer to sk179346: Configuring Explicit Rules instead of Implied Rules