This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tony_Graham
Advisor
‎2026-03-03 09:42 AM
Jump to solution

Need to close port 80 and 443 on external interface

Recently updated to R82 JHF 60 and now we have port 80 and 443 admin connections open to our gateway. We do not know why that is occurring as we have made no changes other than applying the JHF. We have a stealth rule for our gateway external interfaces which drop all inbound connections to it. We do not use VPN's or any other remote access technology. We assume there is some implied rule that is creating the behavior but are not sure which one it could be. Any assistance appreciated before we go to TAC.

 

Looking in the logs we find Access Rule Name: Implied Rule

Access Rule Number: 0

There is no Rule 0 configured.

The most likely rule is 'Accept Web and SSH connections for Gateway Administration' under implied rules but unchecking that makes no difference.

 

1 Solution

Accepted Solutions
Tony_Graham
Advisor
‎2026-03-03 10:28 AM
In response to the_rock
Jump to solution

I found some notes on the last time this happened with R82. I will post them here.

Not sure who I was conversing with at the time.

To close 80 and 443 after update

Another possible method is enabling the parameter fw_ignore_before_drop_rules.
What this does is makes it so that your rulebase takes priority over the implied rules for the http portal services.

You can check the current value by running:
fw ctl get int fw_ignore_before_drop_rules

If it is at 0 (default value) then the feature is currently disabled.

If you want to enable it, you can run:
fw ctl set int fw_ignore_before_drop_rules 1

On the management server edit implied_rules.def in /opt/CPSuite82/fw1/lib set to end of rule to drop.

#define multiportal_real_ports_block_in \
start_rule_code(MAKE_RULENUM(0,0x62)), \
tcp, ((inbound, (IS_MY_IPADDR(dst) or IS_LOCAL_CLUSTER_IP(dst)))), \
(dport in multiportal_real_ports) or (dport = 8880) or (dport = 444) or (dport = 8082), IMPLIED_LOG, drop;


push policy access control via smart console.

I spoke with RnD and in turns out there was newly added feature in R82.

By adding this line into the $FWDIR/conf/user.def.FW1 file, you are able to change *all* implied rules that originally rejected into drops instead.

#define ENABLE_DROP_INSTEAD_OF_REJECT

Example of it being in my file:
#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code
//

#define ENABLE_DROP_INSTEAD_OF_REJECT

#endif /* __user_def__ */

I will add an SK in the future to document this procedure. (again I do not know who this was.)

 

 

View solution in original post

0 Kudos
6 Replies
CaseyB
Advisor
‎2026-03-03 10:10 AM
Jump to solution

I would check these gateway settings:

gw-portal.png

Tony_Graham
Advisor
‎2026-03-03 10:16 AM
In response to CaseyB
Jump to solution

It is set to internal only.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-03 10:15 AM
Jump to solution

Hey Tony,

See if this post I made while ago is relevant to your situation.

https://community.checkpoint.com/t5/SASE-and-Remote-Access/Geo-VPN-blocking/m-p/214040#M10593

Best,
Andy
"Have a great day and if its not, change it"
Tony_Graham
Advisor
‎2026-03-03 10:21 AM
In response to the_rock
Jump to solution

I have been tinkering with sk165937

I was able to close port 80 using:

multi_portal_allow_redirect 0 but it is not truly disabled, just closed so it will still respond to a port scan.

Editing implied_rules.def and commenting out ENABLE_PORTAL_HTTP_REDIRECT has no effect (the SK is actually for R81 series)

I have pushed policy after making changes.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-03 10:46 AM
In response to Tony_Graham
Jump to solution

K, excellent!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Tony_Graham
Advisor
‎2026-03-03 10:28 AM
In response to the_rock
Jump to solution

I found some notes on the last time this happened with R82. I will post them here.

Not sure who I was conversing with at the time.

To close 80 and 443 after update

Another possible method is enabling the parameter fw_ignore_before_drop_rules.
What this does is makes it so that your rulebase takes priority over the implied rules for the http portal services.

You can check the current value by running:
fw ctl get int fw_ignore_before_drop_rules

If it is at 0 (default value) then the feature is currently disabled.

If you want to enable it, you can run:
fw ctl set int fw_ignore_before_drop_rules 1

On the management server edit implied_rules.def in /opt/CPSuite82/fw1/lib set to end of rule to drop.

#define multiportal_real_ports_block_in \
start_rule_code(MAKE_RULENUM(0,0x62)), \
tcp, ((inbound, (IS_MY_IPADDR(dst) or IS_LOCAL_CLUSTER_IP(dst)))), \
(dport in multiportal_real_ports) or (dport = 8880) or (dport = 444) or (dport = 8082), IMPLIED_LOG, drop;


push policy access control via smart console.

I spoke with RnD and in turns out there was newly added feature in R82.

By adding this line into the $FWDIR/conf/user.def.FW1 file, you are able to change *all* implied rules that originally rejected into drops instead.

#define ENABLE_DROP_INSTEAD_OF_REJECT

Example of it being in my file:
#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code
//

#define ENABLE_DROP_INSTEAD_OF_REJECT

#endif /* __user_def__ */

I will add an SK in the future to document this procedure. (again I do not know who this was.)

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events