topic Re: Implied rules in General Topics

Implied rules

Reinaldo_Fernan — Tue, 04 Dec 2018 10:11:14 GMT

Hello All,

I'm looking for some help with the following, at the moment I see lots of external traffic being allowed by an implied rule on port TCP 4500. On smartview tracker the only info I have is the source external IP to our external firewalls over Port TCP 4500, which I'm not sure what service is using this port. My first thought was VPN, but my understanding is that the IKE uses port udp or tcp 500 and NAT-T port udp 4500.

There is no indication what would be allowing this traffic, as the only info I have is Accept 0-Implied rules. I just double checked the implied rules but cannot see anything allowing port TCP 4500 (screenshot attached).

Can you provide some guidance please?

Re: Implied rules

G_W_Albrecht — Tue, 04 Dec 2018 10:51:22 GMT

sk52421: Ports used by Check Point software :

UDP

4500

IKE_NAT_TRAVERSAL - NAT Traversal (NAT-T) Protocol

NAT Traversal adds a UDP header, which encapsulates the IPSec ESP header (by VPND daemon).

And:

sk62692: Ports used on Security Gateway for SecureClient and Endpoint Security VPN :

UDP 4500 - NAT-T port for industry standard UDP encapsulation

Re: Implied rules

Reinaldo_Fernan — Tue, 04 Dec 2018 10:54:20 GMT

Thank you for your prompt answer.

That is port UDP 4500, the behavior we are seeing is on port TCP 4500.

Re: Implied rules

G_W_Albrecht — Tue, 04 Dec 2018 10:56:54 GMT

CP does not use that, so i think that there is no implied rule for it...

Re: Implied rules

Reinaldo_Fernan — Tue, 04 Dec 2018 11:00:04 GMT

Well, I understand and I thought exactly the same...but if you see the screenshot that I attached that is not what it looks like.

Re: Implied rules

Gaurav_Pandya — Tue, 04 Dec 2018 11:11:46 GMT

Hi,

Please check RFC 8229

https://tools.ietf.org/html/rfc8229

Re: Implied rules

_Val_ — Tue, 04 Dec 2018 11:20:18 GMT

TCP 4500 is used for TCP Encapsulation and is related to Remote Access VPN functionality.

Re: Implied rules

Reinaldo_Fernan — Tue, 04 Dec 2018 11:21:25 GMT

Thank you for your prompt answer.

I checked that document previously. Question is about implied rules, and we don't seem to have any implied rule to allow traffic on port TCP 4500 but we can see external IPs scanning our network and traffic over that port is being allowed.

Re: Implied rules

Reinaldo_Fernan — Tue, 04 Dec 2018 11:23:29 GMT

Thank you for your prompt reply.

Can you please tell me what it is supposed to see on the comment for this implied rule? or what is the service or destination?

Re: Implied rules

Reinaldo_Fernan — Tue, 04 Dec 2018 11:25:45 GMT

and what option exactly enables this functionality?

Re: Implied rules

_Val_ — Tue, 04 Dec 2018 11:34:32 GMT

As far as I know, NAT-T + Remote Access VPN

However, if you have a concern about implied rules and handling of this traffic, please open a support case with TAC so we could investigate

Re: Implied rules

Reinaldo_Fernan — Tue, 04 Dec 2018 11:46:37 GMT

Thanks Valeri.

Not familiar with open TAC cases. Can you please give me some guidance how to do this?

Re: Implied rules

_Val_ — Tue, 04 Dec 2018 12:42:53 GMT

I mean, open a support case with your support partner or Check Point directly, according to your maintenance contract.

How to open a Service Request (SR)