Port 264

Tony_Graham · ‎2018-11-29

A lot of ink has been spilled about Port 264 and Checkpoint products, I thought I would add some more. In general there has been a lot of negative press whether it is related to the hostname disclosure or using the port for denial of service attacks. My personal thoughts on it are this. Yes, the hostname disclosure probably provides a tiny bit of information which may or may not be 'publicly' available. Yes it may have been subject to a DDOS attack that someone concocted as a proof of concept on the risks of the exposure but none of that really has been an issue to me. What IS an issue to me is that this is a fairly simple way for a hacker to determine what type of firewall he/she may be dealing with. Even that to me is not overly concerning given that there are so many ways to simply introduce trojans into an environment, even with the myriad solutions that we have in place, and make much less noise and set off less alarms. So during my last port scan I ran across the BGP issue which, if you have auditors, you may know they frown on ports that are open.

I wasn't able to find a great deal on port 264 and Checkpoint outside of the usual canned response that 'it's publicly available information', and that's fine but I didn't want it. I found a few other posts that went on at length with a myriad of solutions. I even concocted my own...which didn't work. Taking a deep breath I read some more posts and ran across one that suggested turning off 'Accept Control Connections' in Global Properties. Now that answer was a bit nebulous as there are a number of sub-settings under 'Accept Control Connections' some of which, I'm fairly certain are needed. So I surmised that what the post meant to say, and the original poster was in a hurry and just took a stab at it, was to uncheck 'Accept Remote Access Control Connections'. So I started with that one. A port scan later and behold 264 was no longer responding. So a lot of ink has been spilled for something that is apparently very easy to solve.

Let me know if you find a side effect that it causes, but it seems fairly innocuous a change if you don't have any secure remote or VPN connections, even then I imagine you could create a more streamlined set of rules rather than making it a Global property.

G_W_Albrecht · ‎2018-11-30

I find sk17745 - Services allowed by "Accept Control Connections" option in "Global Properties" very helpfull. And we have on CheckMates: Ports Used for Communication by Various Check Point Modules.

As we find in sk52421 - Ports used by Check Point software, TCP port 264 is FW1_topo - Check Point Security Gateway SecuRemote Topology Requests: Topology Download from Security Gateway (by FWD daemon) to SecuRemote (build 4100 and higher) and SecureClient.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

_Val_ · ‎2018-11-30

Tony Graham, as mentioned here: Check Point response to SecuRemote Topology Service Hostname Disclosure (spoiler, SK is from 2012), we consider it a non-issue.

Just a note, if you remove "Accept Remote Access Control Connections" from the implied rules, it also disables a bunch of other services relevant to Remote Access. I suggest some due diligence when doing so

Are you a member of CheckMates?

Port 264

Port 264