This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Reinaldo_Fernan
Contributor
‎2018-12-04 02:11 AM

Implied rules

Hello All,

I'm looking for some help with the following, at the moment I see lots of external traffic being allowed by an implied rule on port TCP 4500. On smartview tracker the only info I have is the source external IP to our external firewalls over Port TCP 4500, which I'm not sure what service is using this port. My first thought was VPN, but my understanding is that the IKE uses port udp or tcp 500 and NAT-T port udp 4500.

There is no indication what would be allowing this traffic, as the only info I have is Accept 0-Implied rules. I just double checked the implied rules but cannot see anything allowing port TCP 4500 (screenshot attached).

Can you provide some guidance please?

Preview file
58 KB
0 Kudos
12 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-12-04 02:51 AM

sk52421: Ports used by Check Point software :

UDP4500IKE_NAT_TRAVERSAL - NAT Traversal (NAT-T) ProtocolNAT Traversal adds a UDP header, which encapsulates the IPSec ESP header (by VPND daemon).

And:

sk62692: Ports used on Security Gateway for SecureClient and Endpoint Security VPN :

UDP 4500 - NAT-T port for industry standard UDP encapsulation

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Reinaldo_Fernan
Contributor
‎2018-12-04 02:54 AM
In response to G_W_Albrecht

Thank you for your prompt answer.

That is port UDP 4500, the behavior we are seeing is on port TCP 4500.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-12-04 02:56 AM
In response to Reinaldo_Fernan

CP does not use that, so i think that there is no implied rule for it...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Reinaldo_Fernan
Contributor
‎2018-12-04 03:00 AM
In response to G_W_Albrecht

Well, I understand and I thought exactly the same...but if you see the screenshot that I attached that is not what it looks like.

0 Kudos
Gaurav_Pandya
Advisor
‎2018-12-04 03:11 AM

Hi,

Please check RFC 8229

https://tools.ietf.org/html/rfc8229

Reinaldo_Fernan
Contributor
‎2018-12-04 03:21 AM
In response to Gaurav_Pandya

Thank you for your prompt answer.

I checked that document previously. Question is about implied rules, and we don't seem to have any implied rule to allow traffic on port TCP 4500 but we can see external IPs scanning our network and traffic over that port is being allowed.

0 Kudos
_Val_
Admin
Admin
‎2018-12-04 03:20 AM

TCP 4500 is used for TCP Encapsulation and is related to Remote Access VPN functionality. 

Reinaldo_Fernan
Contributor
‎2018-12-04 03:23 AM
In response to _Val_

Thank you for your prompt reply.

Can you please tell me what it is supposed to see on the comment for this implied rule? or what is the service or destination?

0 Kudos
Reinaldo_Fernan
Contributor
‎2018-12-04 03:25 AM
In response to Reinaldo_Fernan

and what option exactly  enables this functionality?

0 Kudos
_Val_
Admin
Admin
‎2018-12-04 03:34 AM
In response to Reinaldo_Fernan

As far as I know, NAT-T + Remote Access VPN

However, if you have a concern about implied rules and handling of this traffic, please open a support case with TAC so we could investigate


0 Kudos
Reinaldo_Fernan
Contributor
‎2018-12-04 03:46 AM
In response to _Val_

Thanks Valeri.

Not familiar with open TAC cases. Can you please give me some guidance how to do this?

0 Kudos
_Val_
Admin
Admin
‎2018-12-04 04:42 AM
In response to Reinaldo_Fernan

I mean, open a support case with your support partner or Check Point directly, according to your maintenance contract. 

How to open a Service Request (SR) 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events