https://community.checkpoint.com/t5/Firewall-and-Security-Management/vulnerability/m-p/164977#M29563 Wed, 05 Apr 2023 09:12:56 GMT umar7 2023-04-05T09:12:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/vulnerability/m-p/164977#M29563 Wed, 05 Apr 2023 09:12:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/vulnerability/m-p/164977#M29563 umar7 2023-04-05T09:12:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/vulnerability/m-p/164978#M29564 <P>Both ports are not listed here:&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk52421&amp;partition=Advanced&amp;product=All" target="_blank">sk52421: <STRONG>Ports</STRONG> <STRONG>used</STRONG> by <STRONG>Check Point</STRONG> softwar</A>e</P> Tue, 13 Dec 2022 08:42:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/vulnerability/m-p/164978#M29564 G_W_Albrecht 2022-12-13T08:42:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/vulnerability/m-p/164981#M29566 <P>Those seems to be a httpd2 ports for multiportals. Since there are lot many portals running like captive portal, Mobile access portal, NAC, userChek on Apache and there are vhosts configuration done under Apache and those ports then start listening on then and has got a forwarding done internally&nbsp;</P><P>e.g.</P><P>For me port 20988 listens on Apache2 which says it is opened for multiportal NAC/Captive Portal</P><P>/opt/CPshrd-R81/web/Apache/bin/httpd -DFOREGROUND -k start -f /opt/CPshrd-R81/conf/multiportal/httpd-conf/nac/httpd.conf -DPORTAL_NAME_nac</P><P>You will get more details from mpclient list command&nbsp;</P><P>mpclient list<BR />DLPSenderPortal<BR />ExchangeRegistration<BR />ReverseProxyClear<BR />ReverseProxySSL<BR />SecurePlatform<BR />UserCheck<BR />nac<BR />nac_transparent_auth<BR />saml-vpn<BR />sslvpn</P> Tue, 13 Dec 2022 09:12:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/vulnerability/m-p/164981#M29566 Blason_R 2022-12-13T09:12:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/vulnerability/m-p/164983#M29568 <P>First, half-open ports are not necessarily a vulnerability, even if Nessus thinks they are.&nbsp; Vulnerability is something you can exploit.</P> <P>Second, if you believe you indeed found a vulnerability in any of Check Point products,<U> the only correct way</U> to disclose it is to <U>adhere to responsible disclose principles</U> and to use <A href="https://www.checkpoint.com/security-issue/" target="_self">this form</A>&nbsp;</P> Tue, 13 Dec 2022 09:17:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/vulnerability/m-p/164983#M29568 _Val_ 2022-12-13T09:17:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/vulnerability/m-p/165059#M29587 <P>&nbsp;</P> <P>We use a number of random high TCP ports to redirect certain traffic to for various reasons (Threat Prevention, UserCheck, among others).<BR />Even there is a vulnerability there, it’s only accessible from the local system and would require root access (expert mode) to do so, which should only be provided to authorized individuals.<BR />Which makes this “vulnerability” not interesting.</P> <P>The fact a vulnerability scanner can find this suggests your access policy needs to be improved.<BR />Best practice is to have a stealth rule in place that blocks all traffic to the gateway except for the traffic needed to manage the device.</P> Tue, 13 Dec 2022 14:53:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/vulnerability/m-p/165059#M29587 PhoneBoy 2022-12-13T14:53:04Z