This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Cypress
Contributor
‎2025-01-16 01:56 PM
Jump to solution

Has anyone implemented sk180808?

Hello.  I have some gateways that accept traffic to the gateway itself on TCP/443, despite our stealth rule that should be preventing this.  My apologies, as I see this is a frequent topic that is discussed on these forums.

We are looking at sk180808 which was presented to us as a possible solution.  I am wanting to make sure I fully understand the sk article before attempting to implement it.

- The CLI change is done on the management server, and not the gateway.. is that correct?

- The change then takes affect on a gateway after you install policy on that gateway.

-In this sense, we can look at this as a "global" change that affects all of the gateway clusters under this management server.  We may be able to install policy on only one cluster and test things out first.. but one way or another all the other clusters eventually will have to get policy install.

- reverting back, in case the results are not desirable.. would just be setting the value back to "0", cpstop;cpstart, then install policy again?  Or would "revert to previous revision and then install policy" work?

My last question: I'm wondering if there is any recommended reading on more fully understanding the "Multiportal Policy" in general.. I have a rudimentary understanding that if you activate certain different blades and features on Check Point, one or more of those features provision a "portal" interface, that may share the same IP/Port as the portals for other blades/features.. and that is why Implied Rules are used with Multiportal policy.  

What I would like a better understanding about is which features I have enabled that has put us into "multiportal mode?"  Is there a way to see which "portals" are turned on with a gateway?

 

Thanks for any information!

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2025-01-16 04:20 PM
Jump to solution

I had done that sk with couple customers before, no issues. One was on R81.10 and other base R81. Yes, you apply it on mgmt and then install policy on the gateway(s). To see which multi portal is there, run mpclient list and to see the status, mpclient status and then whatever portal name is.

Hope that helps.

Andy

View solution in original post

0 Kudos
6 Replies
the_rock
Legend
Legend
‎2025-01-16 04:20 PM
Jump to solution

I had done that sk with couple customers before, no issues. One was on R81.10 and other base R81. Yes, you apply it on mgmt and then install policy on the gateway(s). To see which multi portal is there, run mpclient list and to see the status, mpclient status and then whatever portal name is.

Hope that helps.

Andy

0 Kudos
Cypress
Contributor
‎2025-01-17 07:11 AM
In response to the_rock
Jump to solution

Thank you this is helpful.  Now that I see our multiportal list I have other questions too 🙂  One of mine listed is UserCheck which shows our internal users the "website is blocked" page.  I guess it never occurred to me that is also a multiportal.. Does this mean after implementing sk180808, I may need to come up with an explicit rule in the security policy to allow internal users to still hit usercheck?  or does sk180808 only have impacts for gaia portal?

0 Kudos
the_rock
Legend
Legend
‎2025-01-17 07:17 AM
In response to Cypress
Jump to solution

Questions are free 😉

Anyway, I never had to change any of that with user check page, but personally, I would ensure it shows as below.

Andy

 

Screenshot_1.png

0 Kudos
the_rock
Legend
Legend
‎2025-01-17 08:22 AM
In response to Cypress
Jump to solution

Btw, happy to test anything you need, I have fully working R81.20 and R82 labs going.

Andy

Have a nice weekend!

0 Kudos
Cypress
Contributor
‎2025-03-07 08:27 AM
In response to the_rock
Jump to solution

Sorry to bump an old thread.. just as a brief update we finally implemented sk180808 last night on one of our gateway clusters last night.  It successfully blocked the HTTPS from public IPs, but it had an unexpected issue where it broke our Gaia web.  It may be from how we are set up originally.. the fix was I had to go to into the Cluster Object, and change Platform Portal to use port 4434 instead of port 443, and create the explicit allow rule from the firewall admins to use port 4434 instead of 443.. after this gaia web started working again.  

0 Kudos
the_rock
Legend
Legend
‎2025-03-07 08:34 AM
In response to Cypress
Jump to solution

I believe this is not really a concern in newer jumbo hotfixes for R81.20, as per sk, but yes, my bad, I forgot to mention originally web portla should be on port other than 443 in this case.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top