Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jason_Dance
Collaborator

No authentication for port 18231 Policy Server Login (old)

Hello fellow community members!

Our security vulnerability scan has flagged that there is no authentication algorithm / ciphers for connections to port 18231 on our gateways (which according to the awesome diagram from Heiko Ankenbrand is "Policy Server Login (old)"). 

As we're using E80.xx Endpoint protect against a separate Policy server, I'm guessing we don't use this port any more (perhaps it was for the older R75 VPN client??).

Does anyone know of a way to secure this port, either by blocking it, or by making it offer secure SSL ciphers??

Regards,

Jason

6 Replies
PhoneBoy
Admin
Admin

HeikoAnkenbrand
Champion
Champion

Yes, with a SYN scan you see the port as open. 

If you check the TLS certificates, you see an TLS handshake.

Afterwards the Check Point communication follow.

Regards

Heiko

Jason_Dance
Collaborator

Thanks Dameon Welch-Abernathy‌.

Do you know if the E80.xx client will have any issues with setting this to TLS1.2?

0 Kudos
PhoneBoy
Admin
Admin

Possible some older VPN clients might.

0 Kudos
Jason_Dance
Collaborator

Interesting.  I applied the first two options in SK132712 to my R77.30 gateways, and the nmap scan has not shown any improvement.

PORT      STATE SERVICE         VERSION

18231/tcp open  ssl/fw1-pslogon Check Point FireWall-1 Policy Server logon

| ssl-enum-ciphers:

|   TLSv1.0:

|     ciphers:

|       TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - F

|       TLS_DH_anon_WITH_AES_128_CBC_SHA - F

|       TLS_DH_anon_WITH_AES_256_CBC_SHA - F

|     compressors:

|       NULL

|     cipher preference: client

|_  least strength: F

0 Kudos
Antonis_Hassiot
Contributor

Any update here? We also performed the actions mentioned here: 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

for port 18231, but the port still shows as listening. 

The following line was already commented out as follows:

 /*#define ENABLE_FW1_PSLOGON_NG*/

0 Kudos