This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_Chau
Contributor
‎2017-08-17 09:56 AM

Open ports found on existing and non-existing IPs

Our weekly scans show open ports for devices that have locked down rules.  For example we allow inbound access for https but the external scans show ports TCP 1720, 5060 and 2000.  We are also seeing TCP 1720 on non-existing IPs.  I have used Tenable and NMAP scanners to verify.  Any ideas?

0 Kudos
6 Replies
Peter_Sandkuijl
Employee
Employee
‎2017-08-24 12:18 AM

Any chance you have a VoIP configuration or a remnant thereof? Do the IP addresses at least look familiar? Can you ARP for them?

0 Kudos
David_Chau
Contributor
‎2017-08-24 12:18 PM
In response to Peter_Sandkuijl

No VOIP servers configured on that network that I know of.  For the IPs I know that are live, we have rules that drop that traffic.

0 Kudos
Juan_Lobera
Contributor
‎2017-12-21 09:03 AM

Hi!

Check this SK about the SIP port. How to disable 'fw early SIP nat' chain / SIP inspection 

Regarding H323, try deleting all h323 services on the dashboard (if you are not using voip services) and install policy.

That should do

0 Kudos
Daniel_Taney
Advisor
‎2020-03-06 10:20 AM

@David_Chau We just observed similar behavior after an external scan. I see the thread here kind of died off... did you ever get a definitive answer to account for this behavior?

R80 CCSA / CCSE
0 Kudos
Zolo
Participant
‎2022-03-31 01:38 PM
In response to Daniel_Taney

Check this: https://community.checkpoint.com/t5/Russian/All-hosts-behind-Check-Point-have-open-tcp-1720-port-in-...

0 Kudos
K_montalvo
Advisor
‎2022-03-31 02:40 PM

Hello,

Confirm that define rules are correctly matching the traffic and look for NAT rules for any port forwardings

0 Kudos