https://community.checkpoint.com/t5/Firewall-and-Security-Management/Port-80-443-500-and-18264-are-open-on-external-interfaces-how-to/m-p/255929#M50123 <P>If you have any VPNs, port 18264 needs to be open for the CRL to validate VPN certificates.<BR />If you do NOT have any Remote Access VPN users, then you could theoretically disable access on port 80/443.<BR />UDP 500 is needed for any sort of VPN.</P> Mon, 25 Aug 2025 18:45:08 GMT PhoneBoy 2025-08-25T18:45:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Port-80-443-500-and-18264-are-open-on-external-interfaces-how-to/m-p/255784#M50073 <P>Hi All,</P><P>Our vulnerability scanner shown port 80, 443, 500 and 18264 are open on external interfaces of our firewall. We are not using SSL VPN or remote access VPN on this firewall but we have IPSec Site to Site VPN Tunnel on it. I have disabled few settings&nbsp;</P><P>- VPN Clients &gt; Desktops / Laptops Windows and Mac clients</P><P>- VPN Clients &gt; Authentication &gt; allow older client to connect this gateway</P><P>- VPN Client &gt; Remote Access &gt; Allow remote clients to route the traffic through this gateway</P><P>- Mobile Access &gt; Web - SSL vpn with Web Browser</P><P>But still the above mentioned ports are open and as per SOC team they are insisting me to block access to this ports from the external word. I need help here can anyone please suggest what needs to be done fix this.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 23 Aug 2025 06:09:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Port-80-443-500-and-18264-are-open-on-external-interfaces-how-to/m-p/255784#M50073 Deepraj_Patil 2025-08-23T06:09:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Port-80-443-500-and-18264-are-open-on-external-interfaces-how-to/m-p/255786#M50075 <P>If you have S2S VPN you probably don't want to block 500.</P> <P>Solutions for the others are readily searchable.</P> Sat, 23 Aug 2025 06:31:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Port-80-443-500-and-18264-are-open-on-external-interfaces-how-to/m-p/255786#M50075 Chris_Atkinson 2025-08-23T06:31:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Port-80-443-500-and-18264-are-open-on-external-interfaces-how-to/m-p/255929#M50123 <P>If you have any VPNs, port 18264 needs to be open for the CRL to validate VPN certificates.<BR />If you do NOT have any Remote Access VPN users, then you could theoretically disable access on port 80/443.<BR />UDP 500 is needed for any sort of VPN.</P> Mon, 25 Aug 2025 18:45:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Port-80-443-500-and-18264-are-open-on-external-interfaces-how-to/m-p/255929#M50123 PhoneBoy 2025-08-25T18:45:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Port-80-443-500-and-18264-are-open-on-external-interfaces-how-to/m-p/256243#M50191 <P>Make a fake NAT rule to any sort of 127.0.0.x <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sat, 30 Aug 2025 14:51:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Port-80-443-500-and-18264-are-open-on-external-interfaces-how-to/m-p/256243#M50191 CheckPointerXL 2025-08-30T14:51:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Port-80-443-500-and-18264-are-open-on-external-interfaces-how-to/m-p/256245#M50192 <P data-start="47" data-end="124">HI&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/108310">@Deepraj_Patil</a>,<BR /><BR />The following overview shows all open ports used by a Check Point gateway and management server.<BR /><A href="https://www.checkpoint.tips/doc/Ports.pdf" target="_blank" rel="noopener">https://www.checkpoint.tips/doc/Ports.pdf</A><BR /><BR />Here is a picture (the same one can be found in the PDF)<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Ports1_4534534.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/31335i79E80EB1AD3AAADB/image-size/large?v=v2&amp;px=999" role="button" title="Ports1_4534534.png" alt="Ports1_4534534.png" /></span><BR /><BR />Open Ports:<BR /><SPAN class="lia-message-unread lia-message-unread-windows">80&nbsp; &nbsp; &nbsp; &nbsp; -&gt; You should check this out (Static NAT to a web server , ...)<BR />443&nbsp; &nbsp; &nbsp; -&gt; Multi Portal Daemon, Mobile Access Blade, Remote Access VPN,&nbsp;(Static NAT to a web server , ...)<BR />500&nbsp; &nbsp; &nbsp; -&gt; IPSec VPN<BR />18264&nbsp; -&gt; VPN Cert. fetch<BR /><BR />In addition to UDP 500, the <STRONG data-start="28" data-end="45">UDP port 4500</STRONG> may also need to be open for NAT-T, ensuring VPN connections work properly when endpoints are behind NAT devices.<BR /><BR /><STRONG>Here's what you can do:</STRONG><BR /></SPAN></P> <UL data-start="126" data-end="248"> <LI data-start="167" data-end="248"> <P data-start="169" data-end="248">Change the position of rule processing under "<STRONG data-start="214" data-end="246">Global Properties → Firewall"&nbsp;</STRONG>to "befor last" (Please proceed with caution)</P> </LI> <LI data-start="167" data-end="248"> <P data-start="47" data-end="124">Create stealth rules on the firewall to block specific ports and access attempts.</P> </LI> </UL> Sat, 30 Aug 2025 16:50:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Port-80-443-500-and-18264-are-open-on-external-interfaces-how-to/m-p/256245#M50192 HeikoAnkenbrand 2025-08-30T16:50:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Port-80-443-500-and-18264-are-open-on-external-interfaces-how-to/m-p/256263#M50196 <P>Hi Heiko,</P><P>Thank you for the detailed information about the open ports.</P><P>Regards,</P><P>Deepraj</P> Sun, 31 Aug 2025 16:35:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Port-80-443-500-and-18264-are-open-on-external-interfaces-how-to/m-p/256263#M50196 Deepraj_Patil 2025-08-31T16:35:53Z