topic Re: NMAP Shows Ports 5060 & 2000 Open in General Topics

NMAP Shows Ports 5060 & 2000 Open

Digo11 — Mon, 10 Jul 2023 07:09:06 GMT

Hello Community,

Greetings to all.

Using the NMAP tool, I did a port scan in my internal network and found ports 2000 and 5060 Open. Interestingly, NMAP found these ports open on security gateway Mgmt IPs and management server IP addresses. In the rule base, only ports 22 (SSH) and 443 (HTTPS) is allowed on Gateway and SMS IPs.

Somehow, I can do telnet on 172.16.1.37 5060 and 172.16.1.37 2000. When I check the logs for these Telnet connections it shows "Drop" and hits the explicit rule I created.

The question is if ports 5060 and 2000 are not allowed in the security policy then why and how Telnet is possible despite the "DROP" log seen on the smart console?

Looking forward to suggestions.

Checkpoint 5600 HA (Active-Passive)

OS: GAIA R81.10 Take 87

Blades: IPS, Anti Virus, AntiBot

Thank you.

Digo.

Re: NMAP Shows Ports 5060 & 2000 Open

Tal_Paz-Fridman — Mon, 10 Jul 2023 13:27:34 GMT

Looks like it is related to the issue mentioned in sk177251:

Quantum Spark appliance ports in built-in SIP services are opened for port-scan/Telnet without any allowing rule

https://support.checkpoint.com/results/sk/sk177251

I also found other cases that state these ports are open for VoIP purposes so check if your policy uses them.

In any case I would contact TAC or a further assistance.

Re: NMAP Shows Ports 5060 & 2000 Open

the_rock — Mon, 10 Jul 2023 13:57:39 GMT

Would it still be applicable to 5600 appliances though?

Andy

Re: NMAP Shows Ports 5060 & 2000 Open

PhoneBoy — Mon, 10 Jul 2023 22:36:40 GMT

Are there any rules involving SIP?
Might require a TAC case to investigate.

Re: NMAP Shows Ports 5060 & 2000 Open

Digo11 — Wed, 12 Jul 2023 02:18:43 GMT

No, we do not have any rules with SIP. It is a core firewall with no SIP traffic.

Thank you for the suggestion. I will involve TAC in this.

Regards,

Digo.