topic Re: Port Status Closed vs Port Status Filtered in General Topics

Port Status Closed vs Port Status Filtered

LostBoY — Fri, 20 Jan 2023 14:15:11 GMT

We recently had a PT Scan run on our Checkpoint environment and it pointed out a few ports whose state is showing as CLOSED.

The recommendation from SOC was to change it to filtered mode..i.e in scan these should reflect as FILTERED in place of CLOSED.

My query is what does this actually mean ? how can this be configured to change it from CLOSED to FILTERED ?

Any help is appreciated.

Re: Port Status Closed vs Port Status Filtered

PhoneBoy — Fri, 20 Jan 2023 19:37:23 GMT

I presume:

Closed: A TCP Reset or an ICMP Port Unreachable was received in response to a probe attempt. This generally means you've reached the target host, though it can happen for other reasons as well.
Filtered: No response was received to a probe attempt. This generally means the traffic is being blocked by something along the way (i.e. a firewall), but can also happen for other reasons (routing issues).

To change from "Closed" to "Filtered" you would need to create the appropriate Access Policy rule to block the relevant traffic.

Re: Port Status Closed vs Port Status Filtered

LostBoY — Fri, 27 Jan 2023 09:43:28 GMT

what should be under "Action" for an access rule which should put a port in filtered mode ?

Re: Port Status Closed vs Port Status Filtered

G_W_Albrecht — Fri, 27 Jan 2023 09:52:10 GMT

Block

Re: Port Status Closed vs Port Status Filtered

LostBoY — Fri, 27 Jan 2023 10:05:13 GMT

ok so a cleanup rule with any any any deny doesn't put a port in filtered mode..to put a port in filtered mode an explicit block rule is required ?

Re: Port Status Closed vs Port Status Filtered

PhoneBoy — Fri, 27 Jan 2023 17:56:48 GMT

What precise port on what precise device is being reported as Closed instead of Filtered?
The answer generally depends on what other access rules exist.
If the destination is a Check Point gateway, implied rules will also impact this.

Re: Port Status Closed vs Port Status Filtered

Bob_Zimmerman — Fri, 27 Jan 2023 20:54:49 GMT

Block and deny aren't actions in Check Point access rules. 😉 The precise terminology matters here.

In an access layer, the action Reject sends a RST in response to matching TCP connections, or an ICMP Destination Unreachable, Administratively Prohibited (type 3, code 13, I think) message in response to non-TCP traffic.

In an access layer, the action Drop discards the traffic silently.

I would argue with the SOC that it doesn't matter. Either result provides the same information back to a potential attacker: there is something there, and the traffic they tried isn't allowed. Hiding is not a valid strategy for network defense. Instead, set up a few canaries, and if anybody tries to access any of them, block the scanner for a day.

Re: Port Status Closed vs Port Status Filtered

LostBoY — Mon, 30 Jan 2023 10:37:49 GMT

TCP/444/SNPP/CLOSED TCP/500/ISAKMP/CLOSED TCP/4500/SAE-URN/CLOSED TCP/8082/BLACKICE-ALERTS/CLOSED TCP/8880/CDDBP-ALT/CLOSED TCP/61447/UNKNOWN/CLOSED

These are the mentioned ports but these are all for GW IP and there is already a stealth rule present.

Re: Port Status Closed vs Port Status Filtered

PhoneBoy — Mon, 30 Jan 2023 13:46:39 GMT

Pretty sure the VPN ports there (500/4500) are being allowed through implied rules.
Same with port 444, which I believe is the legacy SNX portal.
If you have VPN enabled on your gateway those ports will be open.
We use various other random high ports for various security functions which may appear open.

Re: Port Status Closed vs Port Status Filtered

LostBoY — Mon, 30 Jan 2023 14:55:50 GMT

The ones which are showing as CLOSED.. if i put an explicit rule for these ports with action "BLOCK" will they reflect as FILTERED ?

Re: Port Status Closed vs Port Status Filtered

G_W_Albrecht — Mon, 30 Jan 2023 14:56:59 GMT

Maybe TAC can help here much quicker ?

Re: Port Status Closed vs Port Status Filtered

PhoneBoy — Mon, 30 Jan 2023 20:01:55 GMT

Not if they're being allowed through implied rules, which the VPN ones are.
Not sure about the others, but an explicit "stealth rule" for the Security Gateway/Cluster is considered best practice.

Re: Port Status Closed vs Port Status Filtered

LostBoY — Wed, 01 Feb 2023 09:18:37 GMT

Contacted TAC and they are saying there is not way to put a port in Filtered mode which is quite surprising.

I guess nothing can be done in that case.

Re: Port Status Closed vs Port Status Filtered

G_W_Albrecht — Wed, 01 Feb 2023 11:59:47 GMT

TCP

444

Required port for Remote Access client Site Creation

TCP

500

IKE_tcp - IPSEC Internet Key Exchange Protocol over TCP

IKE negotiation over TCP (by VPND daemon)

TCP

4500

not predefined

relevant for cases where TCP encapsulation is used for RA VPN traffic

TCP

8082

not predefined

Internal SmartView port

TCP

8880

not predefined

Security Gateway listens on this port for communication with Mobile Access.

From: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk52421&partition=Advanced&product=Quantum