This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_C1
Advisor
‎2019-09-24 05:52 AM

FWD Listening ports

Hi everyone,

 

Trying to track down some information on this.  sk52421 lists the specific ports listed by Check Point services, including FWD. However, when I run  "netstat -anp | grep fwd" on a gateway (in this case, running R80.20 with FW and IPS blades running), I get this output:

[Expert@xxxxxxxx:0]# netstat -anp | grep fwd

tcp        0      0 0.0.0.0:45568               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:41472               0.0.0.0:*                   LISTEN      24580/fwd           

tcp        0      0 0.0.0.0:51712               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:45856               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:33120               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:34336               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:256                 0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 127.0.0.1:1024              0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:37217               0.0.0.0:*                   LISTEN      24580/fwd           

tcp        0      0 0.0.0.0:56577               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:65057               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:257                 0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:48386               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:58658               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:62818               0.0.0.0:*                   LISTEN      24580/fwd

 

And on and on. What is the explanation for all the high ports listening on all interfaces?

 

Thanks,

 

Dave

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2019-09-25 01:21 PM

Connections going through the Security Gateway are sometimes "folded" into these listeners to further process traffic.
If you try and connect to these listeners, you should be disconnected.
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-09-26 06:15 AM
In response to PhoneBoy

Right, on a security gateway fwd is the parent process of all these listeners (sometimes called "security server" processes) and the high ports you see in listening state are used to redirect content for further inspection in process space on the gateway by the security server processes.

 

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
David_C1
Advisor
‎2019-09-26 07:18 AM
In response to Timothy_Hall

Thanks everyone, this helps, Of course our security policy would block these connections, but I need to explain this to less technical, 3rd party reviewers and your explanations help.

 

Dave

0 Kudos
Dor_Marcovitch
Advisor
‎2022-01-27 05:26 AM
In response to David_C1

sk162619 states that FWD listens on random high ports. 

but i have a port that the FW has NAT configured on it and i see that "FWD" is listening on it...

shouldn't by some kind of check if this port FWD chosen is being used by NAT rules?

 

thanks

dor

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top