topic Re: VPN Port only on external interface in Firewall and Security Management

VPN Port only on external interface

Bac26 — Thu, 15 Jun 2023 14:50:36 GMT

Hello

would be possibie to open only on external interfaces ports use for site to site vpn and remote access?

best regards

Fabio

Re: VPN Port only on external interface

PhoneBoy — Thu, 15 Jun 2023 14:55:28 GMT

Unless you've disabled the relevant implied rules, this traffic should already be allowed.

Re: VPN Port only on external interface

Bac26 — Thu, 15 Jun 2023 15:07:59 GMT

but i would like to enable on a specific cluster only on the external interface, now is enabled on all interfaces like ike 500

Re: VPN Port only on external interface

PhoneBoy — Thu, 15 Jun 2023 15:52:30 GMT

If VPN is enabled, the gateway will listen on all interfaces on UDP port 500.
There is no way to prevent this from occurring and would require an RFE with your local Check Point office.

Access to VPN (Remote Access, Site-to-Site) is enabled through Implied Rules.
The only way to disable this access is either:

Disabling implied rules and creating manual rules: https://support.checkpoint.com/results/sk/sk179346
Use fwaccel to rate limit access to UDP 500 similar to: https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695 (more details on fwaccel dos here: https://support.checkpoint.com/results/sk/sk112454)

I recommend the latter approach versus the former one.

Re: VPN Port only on external interface

Bac26 — Tue, 20 Jun 2023 07:20:47 GMT

so you advice to keep implied rules?

Re: VPN Port only on external interface

PhoneBoy — Tue, 20 Jun 2023 21:39:15 GMT

In order to prevent VPN traffic from being accepted via Implied Rules, you would have to disable Accept Control Connections.
This would require continual maintenance of several rules unrelated to VPN.
Whereas with the fwaccel approach, it requires one command on each gateway to be run.
Though if you are using fwaccel on gateways regularly, you'll have to be mindful of these rules.

Re: VPN Port only on external interface

Bac26 — Wed, 21 Jun 2023 05:50:55 GMT

But with fwaccel the port is in listening you just drop traffic right?

Re: VPN Port only on external interface

PhoneBoy — Wed, 21 Jun 2023 18:34:20 GMT

Yes, the gateway is still listening on those ports.

However, when using the appropriate fwaccel dos commands, access to this port is rate-limited to zero, so no traffic will be received/processed by the daemon.
Which is more or less the exact same effect as disabling the Implied Rules would have.

Re: VPN Port only on external interface

Bac26 — Thu, 22 Jun 2023 07:09:33 GMT

Hello

can you show me an example command to block one vpn port? ex ike 500? and how to reverst in case?

Thank you

Re: VPN Port only on external interface

PhoneBoy — Thu, 22 Jun 2023 16:57:54 GMT

Probably something like (this blocks access to UDP port 500)

fwaccel dos rate add -a d -l a service 17/500 source any destination cidr:X.X.X.X/32 pkt-rate 0

To revert, delete the relevant rule:

fwaccel dos rate del "<Rule UID>"

To get the rule UID, you need to parse the output of: fw samp get -l

More possibilities listed here: https://support.checkpoint.com/results/sk/sk112454

Re: VPN Port only on external interface

Bac26 — Fri, 23 Jun 2023 06:17:05 GMT

in case of a cluster i should set the cidr to the VIP? or still on physical?

Re: VPN Port only on external interface

PhoneBoy — Fri, 23 Jun 2023 15:05:52 GMT

If your goal is to prevent access, then I would specify both the VIP and physical IPs.