This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Prime
Contributor
‎2020-05-29 03:03 PM
Jump to solution

Traffic to port 500 is accepted by implied rule on 0

We have observed a traffic permit from Source IP 106.75.64.59 (Blacklisted 6/114) to destination IP 202.56.229.167 on destination ports 500.
 
Observation:
 
* High no. of events to same destination IP
* Anomaly: Excessive Firewall Permit from Multiple Source
* As per the log analysis, we found there is a Firewall Permit on bharti firewall.

We have analysed the external to external traffic from source 106.75.64.59 (Blacklisted 6/114) to a single destination port.


Do we need to block the source if the communication is not legitimate?
If the source IP is legitimate, please confirm whether we can whitelist the same in our rule.

 

 

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2020-05-30 05:19 AM
Jump to solution

Hi @Prime

There are some implied rules that open certain ports on a gateway.
Depending on the settings in "Global Properties > Firewall" the ports can be different.

You can find an overview of used ports here:
R80.x - Ports Used for Communication by Various Check Point Modules

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

7 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2020-05-30 02:47 AM
Jump to solution

To confirm is the destination currently used to terminate VPNs?

(This may alter the suggestions provided)

CCSM R77/R80/ELITE
0 Kudos
Prime
Contributor
‎2020-05-30 04:42 AM
In response to Chris_Atkinson
Jump to solution

(202.56.229.167)this is our secondary firewall outside interface IP, we are not using for VPN
0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2020-05-30 05:19 AM
Jump to solution

Hi @Prime

There are some implied rules that open certain ports on a gateway.
Depending on the settings in "Global Properties > Firewall" the ports can be different.

You can find an overview of used ports here:
R80.x - Ports Used for Communication by Various Check Point Modules

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Timothy_Hall
MVP Gold
MVP Gold
‎2020-05-30 05:59 AM
Jump to solution

All IKE UDP 500 traffic to and from the gateway interfaces themselves (this does not include IKE traffic trying to transit the gateway) will always be allowed by these implied rules:

ike_implied.png

Once allowed the source IP address will be checked against a list of known VPN peers by vpnd, and if it doesn't match the IKE traffic is discarded.  While in most cases the two endpoints for a site-to-site VPN have fixed IP addresses, all IKE traffic to the gateway's interfaces must be initially accepted from any source IP address to cover the case of a Dynamically Assigned IP (DAIP) VPN peer.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Prime
Contributor
‎2020-05-30 09:54 AM
In response to Timothy_Hall
Jump to solution

 
Preview file
68 KB
0 Kudos
Prime
Contributor
‎2020-05-30 10:00 AM
In response to Prime
Jump to solution

is it the legitimate traffic and can we whitelist the same in our rule?

Should we block the source if the communication is not legitimate?

Attached the log

 

 

 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2020-05-30 10:14 AM
In response to Prime
Jump to solution

You can't directly block UDP/TCP port 500 in the main Network/Firewall policy because it is allowed in the implied rules which are always "first"; it has to be initially allowed then later denied by vpnd as an invalid peer.  The only way to change this is to modify the implied rules settings in the Global Properties, but this is a great way to cause all kinds of nasty problems with basic firewall functionality and is NOT recommended.

I would suggest putting this attacking IP address in the SecureXL blacklist or in a SAM rule (sk112454: How to configure Rate Limiting rules for DoS Mitigation (R80.20 and newer)), which would kill the traffic before it is even able to reach the first implied rules.  Or you could simply block that entire country with Geo Policy since it is applied prior to the first implied rules.  Geo Updatable Objects are referenced after the first implied rules, so you'll need to use Geo Policy instead of Geo Updatable Objects for blocking the attacker in this specific case.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events