Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_Charnon
Collaborator

FWD Listening ports

Hi everyone,

 

Trying to track down some information on this.  sk52421 lists the specific ports listed by Check Point services, including FWD. However, when I run  "netstat -anp | grep fwd" on a gateway (in this case, running R80.20 with FW and IPS blades running), I get this output:

[Expert@xxxxxxxx:0]# netstat -anp | grep fwd

tcp        0      0 0.0.0.0:45568               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:41472               0.0.0.0:*                   LISTEN      24580/fwd           

tcp        0      0 0.0.0.0:51712               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:45856               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:33120               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:34336               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:256                 0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 127.0.0.1:1024              0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:37217               0.0.0.0:*                   LISTEN      24580/fwd           

tcp        0      0 0.0.0.0:56577               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:65057               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:257                 0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:48386               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:58658               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:62818               0.0.0.0:*                   LISTEN      24580/fwd

 

And on and on. What is the explanation for all the high ports listening on all interfaces?

 

Thanks,

 

Dave

 

0 Kudos
Reply
3 Replies
PhoneBoy
Admin
Admin

Connections going through the Security Gateway are sometimes "folded" into these listeners to further process traffic.
If you try and connect to these listeners, you should be disconnected.
0 Kudos
Reply
Timothy_Hall
Champion
Champion

Right, on a security gateway fwd is the parent process of all these listeners (sometimes called "security server" processes) and the high ports you see in listening state are used to redirect content for further inspection in process space on the gateway by the security server processes.

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
David_Charnon
Collaborator

Thanks everyone, this helps, Of course our security policy would block these connections, but I need to explain this to less technical, 3rd party reviewers and your explanations help.

 

Dave

0 Kudos
Reply