- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
Hello
would be possibie to open only on external interfaces ports use for site to site vpn and remote access?
best regards
Fabio
Unless you've disabled the relevant implied rules, this traffic should already be allowed.
but i would like to enable on a specific cluster only on the external interface, now is enabled on all interfaces like ike 500
If VPN is enabled, the gateway will listen on all interfaces on UDP port 500.
There is no way to prevent this from occurring and would require an RFE with your local Check Point office.
Access to VPN (Remote Access, Site-to-Site) is enabled through Implied Rules.
The only way to disable this access is either:
I recommend the latter approach versus the former one.
so you advice to keep implied rules?
In order to prevent VPN traffic from being accepted via Implied Rules, you would have to disable Accept Control Connections.
This would require continual maintenance of several rules unrelated to VPN.
Whereas with the fwaccel approach, it requires one command on each gateway to be run.
Though if you are using fwaccel on gateways regularly, you'll have to be mindful of these rules.
But with fwaccel the port is in listening you just drop traffic right?
Yes, the gateway is still listening on those ports.
However, when using the appropriate fwaccel dos commands, access to this port is rate-limited to zero, so no traffic will be received/processed by the daemon.
Which is more or less the exact same effect as disabling the Implied Rules would have.
Hello
can you show me an example command to block one vpn port? ex ike 500? and how to reverst in case?
Thank you
Probably something like (this blocks access to UDP port 500)
fwaccel dos rate add -a d -l a service 17/500 source any destination cidr:X.X.X.X/32 pkt-rate 0
To revert, delete the relevant rule:
fwaccel dos rate del "<Rule UID>"
To get the rule UID, you need to parse the output of: fw samp get -l
More possibilities listed here: https://support.checkpoint.com/results/sk/sk112454
in case of a cluster i should set the cidr to the VIP? or still on physical?
If your goal is to prevent access, then I would specify both the VIP and physical IPs.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 66 | |
| 22 | |
| 7 | |
| 6 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 2 |
Tue 07 Jul 2026 @ 03:00 AM (IDT)
Check Point Cloud Firewall - The Cloud Firewall with near 100% Zero Day Prevention built in (ANZ)Tue 07 Jul 2026 @ 05:00 AM (IDT)
Check Point Cloud Firewall – The Cloud Firewall with near 100% Zero-Day Prevention Build In (SEAK)Tue 07 Jul 2026 @ 07:30 AM (IDT)
Check Point Cloud Firewall - The Cloud Firewall with near 100% Zero Day Prevention built in (IST)Thu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASEThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityTue 07 Jul 2026 @ 03:00 AM (IDT)
Check Point Cloud Firewall - The Cloud Firewall with near 100% Zero Day Prevention built in (ANZ)Tue 07 Jul 2026 @ 05:00 AM (IDT)
Check Point Cloud Firewall – The Cloud Firewall with near 100% Zero-Day Prevention Build In (SEAK)Tue 07 Jul 2026 @ 07:30 AM (IDT)
Check Point Cloud Firewall - The Cloud Firewall with near 100% Zero Day Prevention built in (IST)Thu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY