No authentication for port 18231 Policy Server Log...

Jason_Dance · ‎2018-11-30

Hello fellow community members!

Our security vulnerability scan has flagged that there is no authentication algorithm / ciphers for connections to port 18231 on our gateways (which according to the awesome diagram from Heiko Ankenbrand is "Policy Server Login (old)").

As we're using E80.xx Endpoint protect against a separate Policy server, I'm guessing we don't use this port any more (perhaps it was for the older R75 VPN client??).

Does anyone know of a way to secure this port, either by blocking it, or by making it offer secure SSL ciphers??

Regards,

Jason

PhoneBoy · ‎2018-11-30

Vulnerability scan shows port 18231 open under LISTEN mode when using TLS1.0 and TLS1.1

HeikoAnkenbrand · ‎2018-12-01

Yes, with a SYN scan you see the port as open.

If you check the TLS certificates, you see an TLS handshake.

Afterwards the Check Point communication follow.

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Jason_Dance · ‎2018-12-03

Thanks Dameon Welch-Abernathy‌.

Do you know if the E80.xx client will have any issues with setting this to TLS1.2?

PhoneBoy · ‎2018-12-03

Possible some older VPN clients might.

Jason_Dance · ‎2018-12-03

Interesting. I applied the first two options in SK132712 to my R77.30 gateways, and the nmap scan has not shown any improvement.

PORT STATE SERVICE VERSION

18231/tcp open ssl/fw1-pslogon Check Point FireWall-1 Policy Server logon

| ssl-enum-ciphers:

| TLSv1.0:

| ciphers:

| TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - F

| TLS_DH_anon_WITH_AES_128_CBC_SHA - F

| TLS_DH_anon_WITH_AES_256_CBC_SHA - F

| compressors:

| NULL

| cipher preference: client

|_ least strength: F

Antonis_Hassiot · ‎2021-05-18

Any update here? We also performed the actions mentioned here:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

for port 18231, but the port still shows as listening.

The following line was already commented out as follows:

/*#define ENABLE_FW1_PSLOGON_NG*/

MaxGutberletRM · ‎2021-08-16

Just tried the same on 80.40 but without any apparent success either. Despite /*#define ENABLE_FWD_TOPO*/ and /*#define ENABLE_FW1_PSLOGON_NG*/ - validated on the MGR and on the two cluster members - the FW still listens on 18231 and fails basic PCI scan using Qualys.

_Val_ · ‎2021-08-16

Did you reboot or ran cpstop;cpstart after the modifying the files?

Antonis_Hassiot · ‎2021-08-23

We found that the port was disabled only after unticking Policy Server box and leaving it unticked. We didn't actually need Policy Server enabled. Otherwise the port would show as listening in netstat.

_Val_ · ‎2021-08-23

Strangely enough, that too is mentioned in the sk132712 you referenced above yourself.

Anyway, I am glad you have found the solution.

_Val_ · ‎2021-08-16

Also, read by the SK, you need to run additional modifications through SmartConsole

MaxGutberletRM · ‎2021-08-16

Already did that obviously - multiple times.

But we found the issue: we had a old EXPLICIT policy rule active that allowed 18231 to connect to the FW. So the implicit rules were disabled but an explicit rule still existed.

In addition to that, the statemet in the SK "You can disable the daemon completely by editing the implied_rules.def, and removing/commenting the relevant lines:" is incorrect - all you remove is the _access_ to the daemon but the daemon is still started which you can easily ceck by running the netsat on the GW which still shows the daemon listening.

But at least the PCI scan now is ok with the FW

Are you a member of CheckMates?

No authentication for port 18231 Policy Server Login (old)