Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_C1
Advisor

FWD Listening ports

Hi everyone,

 

Trying to track down some information on this.  sk52421 lists the specific ports listed by Check Point services, including FWD. However, when I run  "netstat -anp | grep fwd" on a gateway (in this case, running R80.20 with FW and IPS blades running), I get this output:

[Expert@xxxxxxxx:0]# netstat -anp | grep fwd

tcp        0      0 0.0.0.0:45568               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:41472               0.0.0.0:*                   LISTEN      24580/fwd           

tcp        0      0 0.0.0.0:51712               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:45856               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:33120               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:34336               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:256                 0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 127.0.0.1:1024              0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:37217               0.0.0.0:*                   LISTEN      24580/fwd           

tcp        0      0 0.0.0.0:56577               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:65057               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:257                 0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:48386               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:58658               0.0.0.0:*                   LISTEN      24580/fwd          

tcp        0      0 0.0.0.0:62818               0.0.0.0:*                   LISTEN      24580/fwd

 

And on and on. What is the explanation for all the high ports listening on all interfaces?

 

Thanks,

 

Dave

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Connections going through the Security Gateway are sometimes "folded" into these listeners to further process traffic.
If you try and connect to these listeners, you should be disconnected.
0 Kudos
Timothy_Hall
Legend Legend
Legend

Right, on a security gateway fwd is the parent process of all these listeners (sometimes called "security server" processes) and the high ports you see in listening state are used to redirect content for further inspection in process space on the gateway by the security server processes.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
David_C1
Advisor

Thanks everyone, this helps, Of course our security policy would block these connections, but I need to explain this to less technical, 3rd party reviewers and your explanations help.

 

Dave

0 Kudos
Dor_Marcovitch
Advisor

sk162619 states that FWD listens on random high ports. 

but i have a port that the FW has NAT configured on it and i see that "FWD" is listening on it...

shouldn't by some kind of check if this port FWD chosen is being used by NAT rules?

 

thanks

dor

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events