Re: DOS traffic from External IP going port 18264 ...

unavita · ‎2024-10-23

Hello Mates,

I'm new to Checkpoint, so please bear with me.

I noticed an alert for high traffic (potential DoS) in our SIEM coming from an external IP to our public-facing server via port 18264. I’m curious why this traffic is allowed. After some research, I found that this port might be governed by an implied rule, meaning the traffic is permitted by default, and some sources advise against blocking it.

My questions are:

Could this traffic have any negative impact on our server?
Is port 18264 vulnerable to exploitation?

_Val_

Quoting from sk52421

Protocol	Port number	Service Name and Comment	Usage
Infrastructure
TCP	18264	FW1_ica_services - Check Point Internal CA Fetch CRL and User Registration Services	Connections to Management Server for Certificate Revocation Lists (CRLs) and registering users when using the Endpoint Policy Server (for Endpoint Security clients)

See what which destinations are listed for this traffic. In a large environment, with many endpoint clients, it is possible that there is a lot of chatter on this port

unavita

Thanks mate. Appriciate it.

Are you a member of CheckMates?

DOS traffic from External IP going port 18264 (Implied Rule)