Open ports found on existing and non-existing IPs

David_Chau · ‎2017-08-17

Our weekly scans show open ports for devices that have locked down rules. For example we allow inbound access for https but the external scans show ports TCP 1720, 5060 and 2000. We are also seeing TCP 1720 on non-existing IPs. I have used Tenable and NMAP scanners to verify. Any ideas?

Peter_Sandkuijl · ‎2017-08-24

Any chance you have a VoIP configuration or a remnant thereof? Do the IP addresses at least look familiar? Can you ARP for them?

David_Chau · ‎2017-08-24

No VOIP servers configured on that network that I know of. For the IPs I know that are live, we have rules that drop that traffic.

Juan_Lobera · ‎2017-12-21

Hi!

Check this SK about the SIP port. How to disable 'fw early SIP nat' chain / SIP inspection

Regarding H323, try deleting all h323 services on the dashboard (if you are not using voip services) and install policy.

That should do

Daniel_Taney · ‎2020-03-06

@David_Chau We just observed similar behavior after an external scan. I see the thread here kind of died off... did you ever get a definitive answer to account for this behavior?

R80 CCSA / CCSE

Zolo · ‎2022-03-31

Check this: https://community.checkpoint.com/t5/Russian/All-hosts-behind-Check-Point-have-open-tcp-1720-port-in-...

K_montalvo · ‎2022-03-31

Hello,

Confirm that define rules are correctly matching the traffic and look for NAT rules for any port forwardings

Are you a member of CheckMates?

Open ports found on existing and non-existing IPs