- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
I have a Check Point Security Management Server that is NATed to a public IP, and I’ve noticed that port 19009 (used by SmartConsole, CPM service) is accessible from the internet due to an implied rule, even though I have configured the GUI Clients list. My setup is running R81.20 take 113.
Questions:
Why is the GUI Clients list not restricting network-level access to port 19009, allowing internet connections via an implied rule?
How can I configure the SMS to block access to port 19009 from the internet, ensuring only IPs in the GUI Clients list can connect?
Did you configure the Static NAT or Automatic Static Destination NAT? I guess it should not be a issue if Manual NAT rule is configured. Or if not then editing implied_rules.def and commenting out CPMI should resolve it. But ensure to check the file location as per your setup.
The connection goes through automatic NAT.
Just to make sure, if you run cpconfig via expert mode and then navigate to gui clients, does the IP in question show there?
Andy
I can confirm that the IP I'm connecting from is not in the cpconfig list. As a test, I also tried accessing via Proton VPN, and it works
Now that I think about it, that wont help. Reason is because thats ONLY valid for access to smart console, NOT anything else, so to block access to another port, you need actual explicit rule in smart console.
Andy
What's your API access set to? You can check with 'api status | grep Accessibility'.
Accessibility: Require local
Okay, so that's not the problem.
According to instructions from TAC, I disabled the Apply for Security Gateway control connections option. However, I received information that this might cause issues with VPN connections.
After disabling it, the MGMT is no longer reachable from the internet. What I’d like to understand is why the GUI Clients setting is not being applied, even though it is included in the implemented rule.
the image is subjective
The reason why thats not applied is cause its only for access to smart console.
Andy
I'm still not clear why it's not working through the GUI clients list. Any ideas ?
Ok...
Maybe someone else can correct me if Im wrong when I say this, but Im fairly sure that gui list is ONLY for access to smart console and web UI, nothing else.
Andy
GUI list is only for Smart Console access and also smart view web.
Not for SSH and https (gaia web portal)
Thanks Leslie, thats exactly what I thought. I believe it also applies to web UI?
Sure, but what is 19009 used for besides SmartConsole?
Agree, thats it : - )
Welcome to 'implied rules' and 'control connections' from Check Point that noone can explain or understand. 🙂
We have multiple MDS setups with global domain and VSX used in all these - and trying to decipher what is opened automatically and with NAT in mind is impossible. In light of these issues, We have access lists and/or 3rd party vendor firewalls in front of Check Point firewalls to actually know what our exposure is. I also have shodan scans running against out public ip address range to discover these issues.
Regards,
Henrik
It certainly does get complicated, totally agree Henrik.
Andy
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
13 | |
12 | |
11 | |
8 | |
8 | |
7 | |
5 | |
5 | |
5 | |
5 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY