Re: Implied rules

Reinaldo_Fernan · ‎2018-12-04

Hello All,

I'm looking for some help with the following, at the moment I see lots of external traffic being allowed by an implied rule on port TCP 4500. On smartview tracker the only info I have is the source external IP to our external firewalls over Port TCP 4500, which I'm not sure what service is using this port. My first thought was VPN, but my understanding is that the IKE uses port udp or tcp 500 and NAT-T port udp 4500.

There is no indication what would be allowing this traffic, as the only info I have is Accept 0-Implied rules. I just double checked the implied rules but cannot see anything allowing port TCP 4500 (screenshot attached).

Can you provide some guidance please?

G_W_Albrecht · ‎2018-12-04

sk52421: Ports used by Check Point software :

UDP

4500

IKE_NAT_TRAVERSAL - NAT Traversal (NAT-T) Protocol

NAT Traversal adds a UDP header, which encapsulates the IPSec ESP header (by VPND daemon).

And:

sk62692: Ports used on Security Gateway for SecureClient and Endpoint Security VPN :

UDP 4500 - NAT-T port for industry standard UDP encapsulation

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Reinaldo_Fernan · ‎2018-12-04

Thank you for your prompt answer.

That is port UDP 4500, the behavior we are seeing is on port TCP 4500.

G_W_Albrecht · ‎2018-12-04

CP does not use that, so i think that there is no implied rule for it...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Reinaldo_Fernan · ‎2018-12-04

Well, I understand and I thought exactly the same...but if you see the screenshot that I attached that is not what it looks like.

Gaurav_Pandya · ‎2018-12-04

Hi,

Please check RFC 8229

https://tools.ietf.org/html/rfc8229

Reinaldo_Fernan · ‎2018-12-04

Thank you for your prompt answer.

I checked that document previously. Question is about implied rules, and we don't seem to have any implied rule to allow traffic on port TCP 4500 but we can see external IPs scanning our network and traffic over that port is being allowed.

_Val_ · ‎2018-12-04

TCP 4500 is used for TCP Encapsulation and is related to Remote Access VPN functionality.

Reinaldo_Fernan · ‎2018-12-04

Thank you for your prompt reply.

Can you please tell me what it is supposed to see on the comment for this implied rule? or what is the service or destination?

Reinaldo_Fernan · ‎2018-12-04

and what option exactly enables this functionality?

_Val_ · ‎2018-12-04

As far as I know, NAT-T + Remote Access VPN

However, if you have a concern about implied rules and handling of this traffic, please open a support case with TAC so we could investigate

Reinaldo_Fernan · ‎2018-12-04

Thanks Valeri.

Not familiar with open TAC cases. Can you please give me some guidance how to do this?

_Val_ · ‎2018-12-04

I mean, open a support case with your support partner or Check Point directly, according to your maintenance contract.

How to open a Service Request (SR)

Are you a member of CheckMates?

Implied rules