This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SubZer0
Contributor
3 weeks ago

Port 19009 on MGMT Server Accessible from Internet via Implied Rule Despite GUI Clients List

I have a Check Point Security Management Server that is NATed to a public IP, and I’ve noticed that port 19009 (used by SmartConsole, CPM service) is accessible from the internet due to an implied rule, even though I have configured the GUI Clients list. My setup is running R81.20 take 113.

Questions:

Why is the GUI Clients list not restricting network-level access to port 19009, allowing internet connections via an implied rule?

How can I configure the SMS to block access to port 19009 from the internet, ensuring only IPs in the GUI Clients list can connect?

 

0 Kudos
22 Replies
Blason_R
MVP Gold
MVP Gold
3 weeks ago

Did you configure the Static NAT or Automatic Static Destination NAT? I guess it should not be a issue if Manual NAT rule is configured. Or if not then editing implied_rules.def and commenting out CPMI should resolve it. But ensure to check the file location as per your setup.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
SubZer0
Contributor
3 weeks ago
In response to Blason_R

The connection goes through automatic NAT.

0 Kudos
the_rock
MVP Gold
MVP Gold
3 weeks ago

Just to make sure, if you run cpconfig via expert mode and then navigate to gui clients, does the IP in question show there?

Andy

Best,
Andy
0 Kudos
SubZer0
Contributor
3 weeks ago
In response to the_rock

I can confirm that the IP I'm connecting from is not in the cpconfig list. As a test, I also tried accessing via Proton VPN, and it works

0 Kudos
the_rock
MVP Gold
MVP Gold
3 weeks ago
In response to SubZer0

Not sure if it has to do with what I attached, though thats more for outbound.

Andy

Best,
Andy
Preview file
86 KB
0 Kudos
the_rock
MVP Gold
MVP Gold
3 weeks ago
In response to SubZer0

Now that I think about it, that wont help. Reason is because thats ONLY valid for access to smart console, NOT anything else, so to block access to another port, you need actual explicit rule in smart console.

Andy

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
3 weeks ago

What's your API access set to? You can check with 'api status | grep Accessibility'.

0 Kudos
SubZer0
Contributor
3 weeks ago
In response to Bob_Zimmerman

Accessibility: Require local

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
3 weeks ago
In response to SubZer0

Okay, so that's not the problem.

0 Kudos
SubZer0
Contributor
3 weeks ago
In response to Bob_Zimmerman

According to instructions from TAC, I disabled the Apply for Security Gateway control connections option. However, I received information that this might cause issues with VPN connections.

After disabling it, the MGMT is no longer reachable from the internet. What I’d like to understand is why the GUI Clients setting is not being applied, even though it is included in the implemented rule.

Screenshot 2025-09-30 183339.png

the image is subjective

 

 

0 Kudos
the_rock
MVP Gold
MVP Gold
3 weeks ago
In response to SubZer0

The reason why thats not applied is cause its only for access to smart console.

 

Andy

Best,
Andy
0 Kudos
SubZer0
Contributor
3 weeks ago
In response to the_rock

I'm still not clear why it's not working through the GUI clients list. Any ideas ?

0 Kudos
the_rock
MVP Gold
MVP Gold
3 weeks ago
In response to SubZer0

Ok...

Maybe someone else can correct me if Im wrong when I say this, but Im fairly sure that gui list is ONLY for access to smart console and web UI, nothing else.

Andy

Best,
Andy
0 Kudos
Lesley
MVP Gold
MVP Gold
3 weeks ago
In response to the_rock

GUI list is only for Smart Console access and also smart view web.

Not for SSH and https (gaia web portal) 

-------
Please press "Accept as Solution" if my post solved it 🙂
the_rock
MVP Gold
MVP Gold
3 weeks ago
In response to Lesley

Thanks Leslie, thats exactly what I thought. I believe it also applies to web UI?

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
3 weeks ago
In response to the_rock

Sure, but what is 19009 used for besides SmartConsole?

the_rock
MVP Gold
MVP Gold
3 weeks ago
In response to Bob_Zimmerman

Agree, thats it : - )

Best,
Andy
0 Kudos
Henrik_Noerr1
Advisor
3 weeks ago

Welcome to 'implied rules' and 'control connections' from Check Point that noone can explain or understand. 🙂

We have multiple MDS setups with global domain and VSX used in all these - and trying to decipher what is opened automatically and with NAT in mind is impossible. In light of these issues, We have access lists and/or 3rd party vendor firewalls in front of Check Point firewalls to actually know what our exposure is. I also have shodan scans running against out public ip address range to discover these issues.

Regards,

Henrik

(1)
the_rock
MVP Gold
MVP Gold
3 weeks ago
In response to Henrik_Noerr1

It certainly does get complicated, totally agree Henrik.

Andy

Best,
Andy
Wolfgang
MVP Gold
MVP Gold
3 weeks ago

The GUI Clients list does not block access to port xxxxx for all other hosts. The login is disabled for those IP-addresses.

0 Kudos
the_rock
MVP Gold
MVP Gold
3 weeks ago
In response to Wolfgang

Thats right Wolfgang, seems thats only valid for web UI and smart console. Cleared some confusion I had about it as well.

Best,

Andy

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
2 weeks ago

Hey mate,

Were you able to get this sorted out?

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events