Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor
Jump to solution

Port Status Closed vs Port Status Filtered

We recently had a PT Scan run on our Checkpoint environment and it pointed out a few ports whose state is showing as CLOSED.

The recommendation from SOC was to change it to filtered mode..i.e in scan these should reflect as FILTERED in place of CLOSED.

 

My query is what does this actually mean ? how can this be configured to change it from CLOSED to FILTERED ?

 

Any help is appreciated.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

I presume:

  • Closed: A TCP Reset or an ICMP Port Unreachable was received in response to a probe attempt. This generally means you've reached the target host, though it can happen for other reasons as well.
  • Filtered: No response was received to a probe attempt. This generally means the traffic is being blocked by something along the way (i.e. a firewall), but can also happen for other reasons (routing issues).

To change from "Closed" to "Filtered" you would need to create the appropriate Access Policy rule to block the relevant traffic.

View solution in original post

13 Replies
PhoneBoy
Admin
Admin

I presume:

  • Closed: A TCP Reset or an ICMP Port Unreachable was received in response to a probe attempt. This generally means you've reached the target host, though it can happen for other reasons as well.
  • Filtered: No response was received to a probe attempt. This generally means the traffic is being blocked by something along the way (i.e. a firewall), but can also happen for other reasons (routing issues).

To change from "Closed" to "Filtered" you would need to create the appropriate Access Policy rule to block the relevant traffic.

LostBoY
Advisor

what should be under "Action" for an access rule which should put a port in filtered mode ?

0 Kudos
G_W_Albrecht
Legend
Legend

Block

CCSE CCTE CCSM SMB Specialist
0 Kudos
LostBoY
Advisor

ok so a cleanup rule with any any any deny doesn't put a port in filtered mode..to put a port in filtered mode an explicit block rule is required ? 

0 Kudos
PhoneBoy
Admin
Admin

What precise port on what precise device is being reported as Closed instead of Filtered?
The answer generally depends on what other access rules exist.
If the destination is a Check Point gateway, implied rules will also impact this.

0 Kudos
LostBoY
Advisor

TCP/444/SNPP/CLOSED TCP/500/ISAKMP/CLOSED TCP/4500/SAE-URN/CLOSED TCP/8082/BLACKICE-ALERTS/CLOSED TCP/8880/CDDBP-ALT/CLOSED TCP/61447/UNKNOWN/CLOSED

 

These are the mentioned ports but these are all for GW IP and there is already a stealth rule present.

0 Kudos
PhoneBoy
Admin
Admin

Pretty sure the VPN ports there (500/4500) are being allowed through implied rules.
Same with port 444, which I believe is the legacy SNX portal.
If you have VPN enabled on your gateway those ports will be open.
We use various other random high ports for various security functions which may appear open.

0 Kudos
LostBoY
Advisor

The ones which are showing as CLOSED.. if i put an explicit rule for these ports with action "BLOCK" will they reflect as FILTERED ?

0 Kudos
G_W_Albrecht
Legend
Legend

Maybe TAC can help here much quicker ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
LostBoY
Advisor

Contacted TAC and they are saying there is not way to put a port in Filtered mode which is quite surprising.

I guess nothing can be done in that case.

0 Kudos
PhoneBoy
Admin
Admin

Not if they're being allowed through implied rules, which the VPN ones are.
Not sure about the others, but an explicit "stealth rule" for the Security Gateway/Cluster is considered best practice. 

0 Kudos
G_W_Albrecht
Legend
Legend
TCP 444   Required port for Remote Access client Site Creation
TCP 500 IKE_tcp - IPSEC Internet Key Exchange Protocol over TCP IKE negotiation over TCP (by VPND daemon)
TCP  4500 not predefined  relevant for cases where TCP encapsulation is used for RA VPN traffic 
TCP 8082 not predefined  Internal SmartView port
TCP  8880 not predefined  Security Gateway listens on this port for communication with Mobile Access. 

 

From: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

CCSE CCTE CCSM SMB Specialist
0 Kudos
Bob_Zimmerman
Leader
Leader

Block and deny aren't actions in Check Point access rules. 😉 The precise terminology matters here.

In an access layer, the action Reject sends a RST in response to matching TCP connections, or an ICMP Destination Unreachable, Administratively Prohibited (type 3, code 13, I think) message in response to non-TCP traffic.

In an access layer, the action Drop discards the traffic silently.

I would argue with the SOC that it doesn't matter. Either result provides the same information back to a potential attacker: there is something there, and the traffic they tried isn't allowed. Hiding is not a valid strategy for network defense. Instead, set up a few canaries, and if anybody tries to access any of them, block the scanner for a day.

0 Kudos