https://community.checkpoint.com/t5/Firewall-and-Security-Management/Has-anyone-implemented-sk180808/m-p/243280#M47259 <P>Sorry to bump an old thread.. just as a brief update we finally implemented sk180808 last night on one of our gateway clusters last night.&nbsp; It successfully blocked the HTTPS from public IPs, but it had an unexpected issue where it broke our Gaia web.&nbsp; It may be from how we are set up originally.. the fix was I had to go to into the Cluster Object, and change Platform Portal to use port 4434 instead of port 443, and create the explicit allow rule from the firewall admins to use port 4434 instead of 443.. after this gaia web started working again.&nbsp;&nbsp;</P> Fri, 07 Mar 2025 16:27:02 GMT Cypress 2025-03-07T16:27:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Has-anyone-implemented-sk180808/m-p/238864#M46332 <P>Hello.&nbsp; I have some gateways that accept traffic to the gateway itself on TCP/443, despite our stealth rule that should be preventing this.&nbsp; My apologies, as I see this is a frequent topic that is discussed on these forums.</P><P>We are looking at&nbsp;sk180808 which was presented to us as a possible solution.&nbsp; I am wanting to make sure I fully understand the sk article before attempting to implement it.</P><P>- The CLI change is done on the management server, and not the gateway.. is that correct?</P><P>- The change then takes affect on a gateway after you install policy on that gateway.</P><P>-In this sense, we can look at this as a "global" change that affects all of the gateway clusters under this management server.&nbsp; We may be able to install policy on only one cluster and test things out first.. but one way or another all the other clusters eventually will have to get policy install.</P><P>- reverting back, in case the results are not desirable.. would just be setting the value back to "0", cpstop;cpstart, then install policy again?&nbsp; Or would "revert to previous revision and then install policy" work?</P><P>My last question: I'm wondering if there is any recommended reading on more fully understanding the "Multiportal Policy" in general.. I have a rudimentary understanding that if you activate certain different blades and features on Check Point, one or more of those features provision a "portal" interface, that may share the same IP/Port as the portals for other blades/features.. and that is why Implied Rules are used with Multiportal policy.&nbsp;&nbsp;</P><P>What I would like a better understanding about is which features I have enabled that has put us into "multiportal mode?"&nbsp; Is there a way to see which "portals" are turned on with a gateway?</P><P>&nbsp;</P><P>Thanks for any information!</P> Thu, 16 Jan 2025 21:56:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Has-anyone-implemented-sk180808/m-p/238864#M46332 Cypress 2025-01-16T21:56:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Has-anyone-implemented-sk180808/m-p/238871#M46337 <P>I had done that sk with couple customers before, no issues. One was on R81.10 and other base R81. Yes, you apply it on mgmt and then install policy on the gateway(s). To see which multi portal is there, run mpclient list and to see the status, mpclient status and then whatever portal name is.</P> <P>Hope that helps.</P> <P>Andy</P> Fri, 17 Jan 2025 00:20:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Has-anyone-implemented-sk180808/m-p/238871#M46337 the_rock 2025-01-17T00:20:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Has-anyone-implemented-sk180808/m-p/238933#M46348 <P>Thank you this is helpful.&nbsp; Now that I see our multiportal list I have other questions too <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp; One of mine listed is UserCheck which shows our internal users the "website is blocked" page.&nbsp; I guess it never occurred to me that is also a multiportal.. Does this mean after implementing&nbsp;<SPAN>sk180808, I may need to come up with an explicit rule in the security policy to allow internal users to still hit usercheck?&nbsp; or does sk180808 only have impacts for gaia portal?</SPAN></P> Fri, 17 Jan 2025 15:11:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Has-anyone-implemented-sk180808/m-p/238933#M46348 Cypress 2025-01-17T15:11:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Has-anyone-implemented-sk180808/m-p/238938#M46349 <P>Questions are free <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>Anyway, I never had to change any of that with user check page, but personally, I would ensure it shows as below.</P> <P>Andy</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29255iA8A4B664D5E36965/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P> </P> Fri, 17 Jan 2025 15:17:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Has-anyone-implemented-sk180808/m-p/238938#M46349 the_rock 2025-01-17T15:17:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Has-anyone-implemented-sk180808/m-p/238949#M46352 <P>Btw, happy to test anything you need, I have fully working R81.20 and R82 labs going.</P> <P>Andy</P> <P>Have a nice weekend!</P> Fri, 17 Jan 2025 16:22:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Has-anyone-implemented-sk180808/m-p/238949#M46352 the_rock 2025-01-17T16:22:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Has-anyone-implemented-sk180808/m-p/243280#M47259 <P>Sorry to bump an old thread.. just as a brief update we finally implemented sk180808 last night on one of our gateway clusters last night.&nbsp; It successfully blocked the HTTPS from public IPs, but it had an unexpected issue where it broke our Gaia web.&nbsp; It may be from how we are set up originally.. the fix was I had to go to into the Cluster Object, and change Platform Portal to use port 4434 instead of port 443, and create the explicit allow rule from the firewall admins to use port 4434 instead of 443.. after this gaia web started working again.&nbsp;&nbsp;</P> Fri, 07 Mar 2025 16:27:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Has-anyone-implemented-sk180808/m-p/243280#M47259 Cypress 2025-03-07T16:27:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Has-anyone-implemented-sk180808/m-p/243283#M47261 <P>I believe this is not really a concern in newer jumbo hotfixes for R81.20, as per sk, but yes, my bad, I forgot to mention originally web portla should be on port other than 443 in this case.</P> <P>Andy</P> Fri, 07 Mar 2025 16:34:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Has-anyone-implemented-sk180808/m-p/243283#M47261 the_rock 2025-03-07T16:34:29Z