This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Exonix
Advisor
a month ago

Restrict external access to the Management Server

Hello,

We have a Management Server in an internal network, but we also have two managed gateways with public IPs that are managed over the Internet. That’s why we enabled NAT on the Management Server:

Management_NAT.png

 

It turned out that this exposed the Management Server, and we observed login attempts in the audit logs:
How can we protect our Management Server? It must be accessible from some internal networks and external gateways.

unknown_IP.png

 

PS C:\> tnc public_IP -port 19009


ComputerName     : public_IP
RemoteAddress    : public_IP
RemotePort       : 19009
InterfaceAlias   : Ethernet 3
SourceAddress    : 192.168.178.48
TcpTestSucceeded : True

 

 

0 Kudos
6 Replies
simonemantovani
MVP
MVP
a month ago

If the management is behind a firewall, you could filter access only for the remote gateways, right?

Exonix
Advisor
a month ago
In response to simonemantovani

Yes, I could. Now I need to figure out whether the Management Server is really behind the firewall. I can see traffic from my side to the public IP, but only on ports 80/443 — I don’t see any traffic on port 19009 I've shonw above

0 Kudos
Martijn
MVP
MVP
a month ago
In response to Exonix

Hi.

Port 19009 is used by the SmartCenter for the CPM service.

sk52421 - Ports used by Check Point software

It is handeled by the Implied Rules if enabled which is the default.
If you do not log Implied Rules (which is off by default) you do not see this traffic in the logs.

Martijn

Martijn
MVP
MVP
a month ago

Hi,

Do you have implied rules enabled? If so, they come before any other rule in the rule base.
So Control Connections (Check Point's services) are allowed regardless of the rules you create to block them.

Disable Implied Rules and create custom rules for your SmartCenter traffic. But be aware, you need to create specific rules in your rule base for policy installs, log's from gateway to management. So make sure those are in place.

Martijn

Lesley
MVP Gold
MVP Gold
a month ago

would also recommend to configure gui access list in the GAIA portal and SSH access. Add there only IP ranges that are allowed to connect with SmartConsole and SSH,HTTPS

-------
Please press "Accept as Solution" if my post solved it 🙂
the_rock
MVP Diamond
MVP Diamond
a month ago

I agree with what the guys said, makes total sense.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events