This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hrvoje_Brlek
Collaborator
‎2019-12-10 05:58 AM
Jump to solution

Enable any port on Register to Hotspot (SmartEndpoint or Global Properties)

Hi,

We are using Endpoint Security clients from E80.87 to E82.10, on approximately 1000 users. Our firewall gateway is on version R80.30, and our Endpoint Security Management Server is also on R80.30 (with two external Endpoint Policy Servers). As we have a lot of roaming users we need the ability to use the Register to Hotspot functionality with all ports open during the registration.

I followed the sk41586 and defined the any_port through GuiDBedit tool, and applied it on the Global Properties (see attachment below) on the firewall gateway.

GP.jpg

 

But, as we are using the SmartEndpoint console, there is also the ability to define the ports to be used for Hotspot registration (Policy -> Allow hotspot registration). How can I define the any_port through SmartEndpoint, what value do I have to use (see attachment below)? There is no description in the admin guide what to use for any port if you define it through SmartEndpoint.

SE.jpg

 

And the thing that confuses me the most. What configuration will be applied on the client side when connected to VPN, the one defined on the gateway in Global Properties or the one defined in the SmartEndpoint Policy?

 

Below is the configuration I get in trac.config when I connect to the VPN:

<PARAM fw_hotspot_ports="&lt;any_port>"></PARAM>
<PARAM fw_hotspot_ports="443"></PARAM>
<PARAM fw_hotspot_ports="80"></PARAM>
<PARAM fw_hotspot_ports="8080"></PARAM>
<PARAM fw_hotspot_ports="8080"></PARAM>
<PARAM fw_hotspot_ports="8444"></PARAM>

 

Thanks,

Hrvoje

 

 

0 Kudos
1 Solution

Accepted Solutions
Hrvoje_Brlek
Collaborator
‎2020-01-22 06:20 AM
In response to Daniel_Hainich
Jump to solution

1.) The port-range doesn't work, as PhoneBoy mentioned it should be fixed in R80.40.

For us the solution was to use any port. To get it working you need to add any in the SmartEndpoint policy on the Hotspot Settings (Policy -> Allow hotspot registration). I have tested this solution and it is working fine. 

cp.jpg

Although, if you check the trac.config file on the client side, the ports that are configured for the hotspot are the ones that are defined in the Global Properties on the gateway (not the ones from SmartEndpoint). But, apparently they are not applied, the configuration from the SmartEndpoint is the one that is applied (in our case any port). 

trac.config:

<PARAM fw_hotspot_ports="22"></PARAM>
<PARAM fw_hotspot_ports="443"></PARAM>
<PARAM fw_hotspot_ports="80"></PARAM>
<PARAM fw_hotspot_ports="8080"></PARAM> 

 

2.) Also, to answer the second question. It is enough to define the hotspot policy in the SmartEndpoint console.  You can have the option on the Global Properties checked or unchecked, it won't make any difference as long as you are using SmartEndpoint. I tested it both ways, and SmartEndpoint configuration overrides the Global Properties.

In fact, we got the response from TAC regarding this second question and they said it depends if you enforce the Endpoint Firewall policy or the Desktop Policy from SmartConsole (as per sk105644). But, I have tried both options and they don't affect the hotspot registration settings. For us it always remained the one configured in the SmartEndpoint (testing was conducted with re-creating the VPN sites).

View solution in original post

10 Replies
PhoneBoy
Admin
Admin
‎2019-12-10 10:11 AM
Jump to solution

Maybe try a port range 1-65535?
0 Kudos
Hrvoje_Brlek
Collaborator
‎2019-12-11 12:03 AM
In response to PhoneBoy
Jump to solution

Already tried, it doesn't accept any kind of port range:

port.jpg

 

There is also sk155072 which states the format above should work, but it doesn't (I tried while we were on R70.30.03 and now on R80.30):

port_range.JPG

0 Kudos
PhoneBoy
Admin
Admin
‎2019-12-11 08:41 AM
In response to Hrvoje_Brlek
Jump to solution

If the SK says it should work and it doesn’t…probably worth a TAC case to clarify.
PhoneBoy
Admin
Admin
‎2019-12-11 12:13 PM
In response to Hrvoje_Brlek
Jump to solution

Checked with R&D, this is most definitely a GUI bug.
Please open a TAC case.
Hrvoje_Brlek
Collaborator
‎2019-12-11 11:12 PM
In response to PhoneBoy
Jump to solution

OK, thanks, will do so 🙂

0 Kudos
Daniel_Hainich
Advisor
‎2020-01-21 06:05 AM
In response to Hrvoje_Brlek
Jump to solution

hi
any news about this issue? i have the same problem that i cannot configure an port-range.
next question is - do i have to configure global properties and/or hotspot-policy in endpoint-console?
0 Kudos
PhoneBoy
Admin
Admin
‎2020-01-21 08:21 AM
In response to Daniel_Hainich
Jump to solution

This should be fixed in R80.40.
Haven't heard of they've backported this in earlier releases, but a TAC case is the way to find out.
0 Kudos
Hrvoje_Brlek
Collaborator
‎2020-01-22 06:20 AM
In response to Daniel_Hainich
Jump to solution

1.) The port-range doesn't work, as PhoneBoy mentioned it should be fixed in R80.40.

For us the solution was to use any port. To get it working you need to add any in the SmartEndpoint policy on the Hotspot Settings (Policy -> Allow hotspot registration). I have tested this solution and it is working fine. 

cp.jpg

Although, if you check the trac.config file on the client side, the ports that are configured for the hotspot are the ones that are defined in the Global Properties on the gateway (not the ones from SmartEndpoint). But, apparently they are not applied, the configuration from the SmartEndpoint is the one that is applied (in our case any port). 

trac.config:

<PARAM fw_hotspot_ports="22"></PARAM>
<PARAM fw_hotspot_ports="443"></PARAM>
<PARAM fw_hotspot_ports="80"></PARAM>
<PARAM fw_hotspot_ports="8080"></PARAM> 

 

2.) Also, to answer the second question. It is enough to define the hotspot policy in the SmartEndpoint console.  You can have the option on the Global Properties checked or unchecked, it won't make any difference as long as you are using SmartEndpoint. I tested it both ways, and SmartEndpoint configuration overrides the Global Properties.

In fact, we got the response from TAC regarding this second question and they said it depends if you enforce the Endpoint Firewall policy or the Desktop Policy from SmartConsole (as per sk105644). But, I have tried both options and they don't affect the hotspot registration settings. For us it always remained the one configured in the SmartEndpoint (testing was conducted with re-creating the VPN sites).

Daniel_Hainich
Advisor
‎2020-01-22 07:28 AM
In response to Hrvoje_Brlek
Jump to solution

thanks for reply. i will test it shortly.

edit: i have tested this solution and it works. hotspot-registration is working now with any port. 🙂

 

0 Kudos
514numbers
Contributor
‎2020-12-11 11:48 AM
Jump to solution

Off topic, but on the global properties, remote access, hotspot / wifi registration section, where have you found the LOG for tracking? I thought it would be automatically sent up to the management server however unable to find it in the LOGS. Does anybody know where this LOG tracking entry is? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events