Re: VPN Port only on external interface

Bac26 · ‎2023-06-15

Hello

would be possibie to open only on external interfaces ports use for site to site vpn and remote access?

best regards

Fabio

PhoneBoy · ‎2023-06-15

Unless you've disabled the relevant implied rules, this traffic should already be allowed.

Bac26 · ‎2023-06-15

but i would like to enable on a specific cluster only on the external interface, now is enabled on all interfaces like ike 500

PhoneBoy · ‎2023-06-15

If VPN is enabled, the gateway will listen on all interfaces on UDP port 500.
There is no way to prevent this from occurring and would require an RFE with your local Check Point office.

Access to VPN (Remote Access, Site-to-Site) is enabled through Implied Rules.
The only way to disable this access is either:

Disabling implied rules and creating manual rules: https://support.checkpoint.com/results/sk/sk179346
Use fwaccel to rate limit access to UDP 500 similar to: https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695 (more details on fwaccel dos here: https://support.checkpoint.com/results/sk/sk112454)

I recommend the latter approach versus the former one.

Bac26 · ‎2023-06-20

so you advice to keep implied rules?

PhoneBoy · ‎2023-06-20

In order to prevent VPN traffic from being accepted via Implied Rules, you would have to disable Accept Control Connections.
This would require continual maintenance of several rules unrelated to VPN.
Whereas with the fwaccel approach, it requires one command on each gateway to be run.
Though if you are using fwaccel on gateways regularly, you'll have to be mindful of these rules.

Bac26 · ‎2023-06-20

But with fwaccel the port is in listening you just drop traffic right?

PhoneBoy · ‎2023-06-21

Yes, the gateway is still listening on those ports.

However, when using the appropriate fwaccel dos commands, access to this port is rate-limited to zero, so no traffic will be received/processed by the daemon.
Which is more or less the exact same effect as disabling the Implied Rules would have.

Bac26 · ‎2023-06-22

Hello

can you show me an example command to block one vpn port? ex ike 500? and how to reverst in case?

Thank you

PhoneBoy · ‎2023-06-22

Probably something like (this blocks access to UDP port 500)

fwaccel dos rate add -a d -l a service 17/500 source any destination cidr:X.X.X.X/32 pkt-rate 0

To revert, delete the relevant rule:

fwaccel dos rate del "<Rule UID>"

To get the rule UID, you need to parse the output of: fw samp get -l

More possibilities listed here: https://support.checkpoint.com/results/sk/sk112454

Bac26 · ‎2023-06-22

in case of a cluster i should set the cidr to the VIP? or still on physical?

PhoneBoy · ‎2023-06-23

If your goal is to prevent access, then I would specify both the VIP and physical IPs.

Are you a member of CheckMates?

VPN Port only on external interface