This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LostBoY
Advisor
‎2023-01-20 06:15 AM
Jump to solution

Port Status Closed vs Port Status Filtered

We recently had a PT Scan run on our Checkpoint environment and it pointed out a few ports whose state is showing as CLOSED.

The recommendation from SOC was to change it to filtered mode..i.e in scan these should reflect as FILTERED in place of CLOSED.

 

My query is what does this actually mean ? how can this be configured to change it from CLOSED to FILTERED ?

 

Any help is appreciated.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-01-20 11:37 AM
Jump to solution

I presume:

  • Closed: A TCP Reset or an ICMP Port Unreachable was received in response to a probe attempt. This generally means you've reached the target host, though it can happen for other reasons as well.
  • Filtered: No response was received to a probe attempt. This generally means the traffic is being blocked by something along the way (i.e. a firewall), but can also happen for other reasons (routing issues).

To change from "Closed" to "Filtered" you would need to create the appropriate Access Policy rule to block the relevant traffic.

View solution in original post

13 Replies
PhoneBoy
Admin
Admin
‎2023-01-20 11:37 AM
Jump to solution

I presume:

  • Closed: A TCP Reset or an ICMP Port Unreachable was received in response to a probe attempt. This generally means you've reached the target host, though it can happen for other reasons as well.
  • Filtered: No response was received to a probe attempt. This generally means the traffic is being blocked by something along the way (i.e. a firewall), but can also happen for other reasons (routing issues).

To change from "Closed" to "Filtered" you would need to create the appropriate Access Policy rule to block the relevant traffic.

LostBoY
Advisor
‎2023-01-27 01:43 AM
In response to PhoneBoy
Jump to solution

what should be under "Action" for an access rule which should put a port in filtered mode ?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-01-27 01:52 AM
In response to LostBoY
Jump to solution

Block

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
LostBoY
Advisor
‎2023-01-27 02:05 AM
In response to G_W_Albrecht
Jump to solution

ok so a cleanup rule with any any any deny doesn't put a port in filtered mode..to put a port in filtered mode an explicit block rule is required ? 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-27 09:56 AM
In response to LostBoY
Jump to solution

What precise port on what precise device is being reported as Closed instead of Filtered?
The answer generally depends on what other access rules exist.
If the destination is a Check Point gateway, implied rules will also impact this.

0 Kudos
LostBoY
Advisor
‎2023-01-30 02:37 AM
In response to PhoneBoy
Jump to solution

TCP/444/SNPP/CLOSED TCP/500/ISAKMP/CLOSED TCP/4500/SAE-URN/CLOSED TCP/8082/BLACKICE-ALERTS/CLOSED TCP/8880/CDDBP-ALT/CLOSED TCP/61447/UNKNOWN/CLOSED

 

These are the mentioned ports but these are all for GW IP and there is already a stealth rule present.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-30 05:46 AM
In response to LostBoY
Jump to solution

Pretty sure the VPN ports there (500/4500) are being allowed through implied rules.
Same with port 444, which I believe is the legacy SNX portal.
If you have VPN enabled on your gateway those ports will be open.
We use various other random high ports for various security functions which may appear open.

0 Kudos
LostBoY
Advisor
‎2023-01-30 06:55 AM
In response to PhoneBoy
Jump to solution

The ones which are showing as CLOSED.. if i put an explicit rule for these ports with action "BLOCK" will they reflect as FILTERED ?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-01-30 06:56 AM
In response to LostBoY
Jump to solution

Maybe TAC can help here much quicker ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
LostBoY
Advisor
‎2023-02-01 01:18 AM
In response to G_W_Albrecht
Jump to solution

Contacted TAC and they are saying there is not way to put a port in Filtered mode which is quite surprising.

I guess nothing can be done in that case.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-30 12:01 PM
In response to LostBoY
Jump to solution

Not if they're being allowed through implied rules, which the VPN ones are.
Not sure about the others, but an explicit "stealth rule" for the Security Gateway/Cluster is considered best practice. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-02-01 03:59 AM
In response to LostBoY
Jump to solution

TCP 444   Required port for Remote Access client Site Creation
TCP 500 IKE_tcp - IPSEC Internet Key Exchange Protocol over TCP IKE negotiation over TCP (by VPND daemon)
TCP  4500 not predefined  relevant for cases where TCP encapsulation is used for RA VPN traffic 
TCP 8082 not predefined  Internal SmartView port
TCP  8880 not predefined  Security Gateway listens on this port for communication with Mobile Access. 

 

From: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-01-27 12:54 PM
In response to LostBoY
Jump to solution

Block and deny aren't actions in Check Point access rules. 😉 The precise terminology matters here.

In an access layer, the action Reject sends a RST in response to matching TCP connections, or an ICMP Destination Unreachable, Administratively Prohibited (type 3, code 13, I think) message in response to non-TCP traffic.

In an access layer, the action Drop discards the traffic silently.

I would argue with the SOC that it doesn't matter. Either result provides the same information back to a potential attacker: there is something there, and the traffic they tried isn't allowed. Hiding is not a valid strategy for network defense. Instead, set up a few canaries, and if anybody tries to access any of them, block the scanner for a day.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events