This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PaCuS
Explorer
‎2025-04-30 01:40 PM
Jump to solution

Redirect public port 443 to internal 443 server.

Redirect public port 443 to internal 443 server.

Firewall: Checkpoint Quantum Spark 1800 Appliance

I need to publish an internal web service 443 to public IP 443, it can not be another port due to project specifications.

The first problem is that the remote access via VPN “takes over” the 443. If I change the port 443, then the next service that “takes over” is the “SSL Network Extender”, so I can never be able to serve a web server via 443 with access through the internet.

Can anyone help me?

Thanks.

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-05-08 06:31 AM
In response to PaCuS
Jump to solution

The capability to change the port might exist, but doing so doesn't work in a working configuration.
This is what is meant by "cannot be changed" and is expected behavior on SMB appliances.

View solution in original post

24 Replies
Chris_Atkinson
Employee Employee
Employee
‎2025-05-01 04:23 AM
Jump to solution

So you've already manipulated the following option?

Device > Advanced > Advanced setting: "Remote Access VPN - Reserve port 443 for port forwarding"

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2025-05-01 04:37 AM
Jump to solution

For what is worth, below are steps from chatgpt.

Andy

**********************

To redirect public port 443 to an internal server on port 443 using a Check Point SMB appliance (such as a 1400/1500 series), you need to configure Port Forwarding (NAT Rule) and Access Rule (Firewall Rule). Here's how you can do it via the Web UI:

Step-by-Step: Port Forward 443 to Internal Server

🔧 1. Log into the Web UI

  • Open a browser and go to: https://<firewall-ip>

  • Log in as admin

🔁 2. Create a Port Forwarding (NAT) Rule

  • Go to Network > NAT

  • Click Add

  • Fill in:

    • Name: HTTPS-Forwarding

    • Service: HTTPS (TCP 443)

    • Incoming Interface: Choose the external WAN interface

    • Destination IP: Leave blank or use the firewall's public IP

    • Translated IP: Enter the internal server's IP (e.g., 192.168.1.100)

    • Translated Port: Leave blank (or use 443 if needed)

This tells the firewall to forward traffic hitting port 443 to the internal IP.

🔥 3. Add a Firewall Access Rule

  • Go to Firewall > Access Policy

  • Click Add Rule

  • Set:

    • Source: Any or specific source IP/range

    • Destination: Firewall's external IP

    • Service: HTTPS

    • Action: Accept

    • Install On: This Gateway

4. Save & Apply Changes

  • Click Apply Changes at the top

🧪 Optional: Test It

  • From outside your network, open a browser and go to https://<your-public-IP>

  • It should forward you to your internal server

0 Kudos
PaCuS
Explorer
‎2025-05-01 09:41 AM
In response to the_rock
Jump to solution

And how do I configure the VPN client connections to work?

0 Kudos
the_rock
Legend
Legend
‎2025-05-02 04:18 PM
In response to PaCuS
Jump to solution

I cant say for sure unless I saw why its failing and do some troubleshooting/debug. I would test port 18234, which is tunnel test packets.

fw monitor -e "accept port(18234);"

Andy

0 Kudos
PaCuS
Explorer
‎2025-05-01 09:46 AM
In response to the_rock
Jump to solution

Hi

And how do I configure the VPN client connections to work?

0 Kudos
the_rock
Legend
Legend
‎2025-05-01 11:28 AM
Jump to solution

Might also be worth open TAC case to verify.

0 Kudos
PaCuS
Explorer
‎2025-05-01 11:37 AM
In response to the_rock
Jump to solution

They have not been able to give me a solution of any kind. (It's no joke).

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2025-05-02 07:01 PM
In response to PaCuS
Jump to solution

Per the advanced option I mentioned above did you both change the port and tick the option to reserve 443 for port forwarding?

Also is this a centrally or locally managed device...

 

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2025-05-02 07:22 PM
In response to Chris_Atkinson
Jump to solution

Hey Chris,

I believe that option you mentioned initially is for locally managed, I saw it on demo point lab...what would be equal if its centrally managed one?

Andy

0 Kudos
PaCuS
Explorer
‎2025-05-03 08:39 AM
In response to the_rock
Jump to solution

I didn't quite understand what you mean by local or centralised management.

My question is the following, once I change the port for VPN.
How do I configure the VPN client with the new port? For example 444.

PS: This Monday I plan to try all this again.

0 Kudos
the_rock
Legend
Legend
‎2025-05-03 09:11 AM
In response to PaCuS
Jump to solution

What we mean is is it managed by management server or on its own? You could try delete the site on client and then re-create it as vpn.mycompany.com:444 or whatever new port is and try, BUT, not sure if that would work if you change it on gw side, but give it a go.

Andy

0 Kudos
PaCuS
Explorer
‎2025-05-04 04:39 PM
In response to the_rock
Jump to solution

I have only managed to do the 443 redirection through one of the 2 WANs.

I can't do it with the 2nd WAN. 😕 (it only shows "This Gateway" and defaults to the first WAN)
VPN is overridden... I can't configure any vpn client with any different port. Example used vpn.compañia.com:444 (not working)

 

0 Kudos
the_rock
Legend
Legend
‎2025-05-04 04:41 PM
In response to PaCuS
Jump to solution

Does it even let you create a site using port 444?

Andy

0 Kudos
PaCuS
Explorer
‎2025-05-04 05:46 PM
In response to the_rock
Jump to solution

I've tried at least hehe But he hasn't left me. I don't care about the VPN issue. What really matters to me is the initial topic of the post and that it doesn't let me do it through the second WAN, only in the first.

0 Kudos
the_rock
Legend
Legend
‎2025-05-04 06:12 PM
In response to PaCuS
Jump to solution

K, hang on, now Im little confused. Are you trying to get this working via custom port or 2nd wan link?

Andy

0 Kudos
PaCuS
Explorer
‎2025-05-04 11:55 PM
In response to the_rock
Jump to solution

I have 2 WANs, I want to use one of the 2 WANs (public ip that corresponds to the second WAN, not the first). It's only working for me with the first one.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2025-05-08 06:12 AM
In response to PaCuS
Jump to solution

In Advanced Settings, for locally managed we have:

VPN Remote Access - Remote Access port

port

443

Select the port to which Remote Access clients connect, and SSL VPN Network extender portal uses

VPN Remote Access - Reserve port 443 for port forwarding

bool

false

Reserving port 443 for port forwarding (port 443 will not be used for Remote Access and SSL VPN Network extender)

VPN Remote Access - Enable Visitor Mode on All Interfaces

options

All

Enable visitor mode on all interfaces

VPN Remote Access - Enable Visitor Mode on This Interface

ipv4addr

0.0.0.0

Support visitor mode on this interface

 

But we can not select WAN IFs here! On GAiA, the reference is https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2025-05-05 01:58 PM
In response to PaCuS
Jump to solution

Central Management: using a Smart-1 and SmartConsole.
Local Management: using device's WebUI and/or SMP 

As far as I know,  SMB devices only support "Visitor Mode" (used for Remote Access VPN) on TCP 443 only and cannot be changed.

0 Kudos
PaCuS
Explorer
‎2025-05-08 02:28 AM
In response to PhoneBoy
Jump to solution

Hello,

It can be changed, I changed it to 444 and I could use the 443 for the internal service I was interested in (for one of the 2 WAN I have, but it only lets me for one of the two), but this has caused that it has been cancelled to be able to use VPN, even if it is for 444, it is dropping the requests for 444.

There are two problems here right now.

1. VPN does not work.
2. I cannot use 443 redirection with the 2nd WAN.

 

0 Kudos
the_rock
Legend
Legend
‎2025-05-08 03:45 AM
In response to PaCuS
Jump to solution

1) When you say does not work, does that mean site cant be created or it can be but then people cant connect to anything internally?

2) 2nd WAN, are you even able to create site on that IP to begin with?

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2025-05-08 06:31 AM
In response to PaCuS
Jump to solution

The capability to change the port might exist, but doing so doesn't work in a working configuration.
This is what is meant by "cannot be changed" and is expected behavior on SMB appliances.

G_W_Albrecht
Legend Legend
Legend
‎2025-05-09 12:24 AM
In response to PhoneBoy
Jump to solution

RA config Capability is present as seen in the Advanced Settings shown below - but the second WAN is the issue, i suppose...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PaCuS
Explorer
‎2025-05-19 09:23 AM
In response to PhoneBoy
Jump to solution

But it has to be possible somehow...

0 Kudos
PhoneBoy
Admin
Admin
‎2025-05-19 10:33 AM
In response to PaCuS
Jump to solution

Since it is actually possible to change the Visitor Mode port (this was added in R81.10.xx firmware), the fact it's "not working" for either of your inquiries suggests you may want to involve TAC.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events