This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Patrick_Tuttle
Participant
‎2018-03-14 12:19 PM

PCI Scan turns on ports dynamically

Tenable Scan will dynamically open up various ports "SMTP Server Non-standard Port Detection" only on 2 out of the 16 gateways in our production environment. So far it has only happened on the secondaries.

It does this everytime even after a fresh reboot of the gateway. 

All GW's are running R77.30 Jumbo 286.  Anyone ever heard of this.  We had a case opened a few months back but got no where. Any advice would be greatly appreciated. 

Thanks -pat

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2018-03-16 03:25 PM

Check Point gateways have userpsace processes that listen on random high ports.

The primary reason for this is to fold specific types of traffic into the processes that perform different types of content inspection.

It's entirely possible that, if you haven't implemented a stealth rule in your rulebase properly, that something like a Tenable may pick up one of these random high ports.

0 Kudos
Patrick_Tuttle
Participant
‎2018-03-19 06:32 AM
In response to PhoneBoy

Thanks I appreciate the explanation and replies.  We would like to implement an over scan rule / tighten up our stealth rule by not allowing any scans such as implementing SK110873 but so far We have been not successful in getting that change passed.

thanks again

-pat  

0 Kudos
Vladimir
Champion
Champion
‎2018-03-19 10:20 AM
In response to PhoneBoy

Dameon,

How doe the stealth rule works in situations when GW has to be directly accessible by internal hosts, (i.e. captive portal, user check portal, platform portal, etc.)?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-03-19 11:03 AM
In response to Vladimir

You would create the various required access rules prior to the Stealth Rule.

In fact, this may be a situation where a Policy Layer might be useful in R80.10+.

0 Kudos
Vladimir
Champion
Champion
‎2018-03-19 11:45 AM
In response to PhoneBoy

Something like this?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-03-19 01:11 PM
In response to Vladimir

Yeah like that

0 Kudos
Richard_Anton_V
Explorer
‎2019-05-30 07:24 PM

Hi , I also had this particular findings after a nessus (tenable) scan. Di you already find out the solution to eliminate the findings? thank you very much

 

Capture.JPG

0 Kudos
DR_74
Collaborator
‎2019-10-24 12:42 AM
In response to Richard_Anton_V

Hi,

Got the same behaviour on R80.20 gateway (with Management and gw on the same hardware). The question is why do they have those SMTP ports opened?

Even if  "The primary reason for this is to fold specific types of traffic into the processes that perform different types of content inspection." I don't understand why those ports are open.

Of course a Stealth Rules will mitigate the impact... but from a Security point of view, those are still open

 

0 Kudos
_Val_
Admin
Admin
‎2019-10-28 12:51 AM
In response to DR_74

Open port does not represent a security risk. The answer is already given: in case of content inspection, the traffic should be folded for inspection

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top