- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Our weekly scans show open ports for devices that have locked down rules. For example we allow inbound access for https but the external scans show ports TCP 1720, 5060 and 2000. We are also seeing TCP 1720 on non-existing IPs. I have used Tenable and NMAP scanners to verify. Any ideas?
Any chance you have a VoIP configuration or a remnant thereof? Do the IP addresses at least look familiar? Can you ARP for them?
No VOIP servers configured on that network that I know of. For the IPs I know that are live, we have rules that drop that traffic.
Hi!
Check this SK about the SIP port. How to disable 'fw early SIP nat' chain / SIP inspection
Regarding H323, try deleting all h323 services on the dashboard (if you are not using voip services) and install policy.
That should do
@David_Chau We just observed similar behavior after an external scan. I see the thread here kind of died off... did you ever get a definitive answer to account for this behavior?
Hello,
Confirm that define rules are correctly matching the traffic and look for NAT rules for any port forwardings
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY