I thought I would let everyone know this issue is back. 444 is in reject mode. However, editing implied_rules.def is not stopping it now either. I also have port 80 and 443 that have appeared as open. No idea why. Has to have happened during and update. I have a ticket into TAC.

netstat -tulpn | grep ":444"

returns nothing of value.

There is a stealth rule in place so I assume if it something in Global that is overriding it.

As it is a Sandblast appliance there is no other product installed on it.

GRC does an autodetect to determine the originating IP for the scan which is my external gateway.

I have confirmed this. There are no running PIDs on that port that I can find.

You may have jogged a spider web out of my mind. In the past when this port popped up it had something to do with an external CP control connection in Global Properties. I don't recall which one needed to be unticked to stealth 444 but one of them does. I think it's an error that 444 isn't used. It might not be used but something exposes it and there is a clicky bit to turn it back off.

What @Chris_Atkinson said makes sense. That came to my mind as well...check implied_rules.def on mgmt server, as well as under gateway object -> vpn clients -> remote access -> support visitor mode...what port is listed there?

Andy

Well that's the trick. I cannot check gateway object --> vpn clients because there is not a menu for that.

R81. Inside implied_rules.def on mgmt server I see a line under

#define multiportal_real_ports_block_in

(dport in multiportal_real_ports) or (dport = 8880) or (dport =444) or (dport = 8802), IMPLIED_LOG, reject;

So something does monkey with 444. I think I'll contact TAC about it so they know the port is getting set as enabled but closed for some reason.

**UPDATE** The stealth rule does not block the 444 port.

Have a look Remote Access with Visitor Mode set to use TCP port 444 no longer works after upgrading to R77.30 

something was changed from default…

Yes. I have been through that SK. I do not wish to enable remote access.

I could change (dport in multiportal_real_ports) or (dport = 8880) or (dport =444) or (dport = 8802), IMPLIED_LOG, reject; 

to 'drop' from 'reject' but not sure what consequences/side-effects that would have for the other ports 8880 or 8802.

Do you  defined a static NAT rule for port 444?

No I have never used 444 for anything.

What about just removing the or (dport =444) ? You could test that...

I could but until I speak with TAC as to why it may have been there in the first place, I am opting to set it as drop for now.

It looks to me like it was a part of 77.30 (sk111974), but why it seems to be following me during upgrades I don't know. It's odd nobody else has seen this though.

"I would hate to advise anyone to change that file (implied_rules.def), BUT..", you just did LOL.

I was confident enough to give it a whirl as I was leaning that way myself.

By the way it worked. 444 is now stealthed again. I changed the line from 'reject' to 'drop'.

I don't know why I remember having to do this awhile back for the same reason. According to sk92281 this file

gets overwritten during upgrades so if I had made the change in the past it would have gotten zapped during my move to R81 last Friday. Still don't know why these entries in implied_rules.def are appearing to begin with.

Well, I did NOT advise you to change it...I said you COULD...lol. After all, its your firewall. I can only suggest things mate : - )

LOL. Sure, I'm just kidding with you.

Well, its good right? If it worked, no harm, you have original file anyway ; - )

Yes on both accounts. The biggest fear I always have is locking myself out of the device. I recall having to hook up with a serial connection once....<shudder>.

Good job! Well, as far as losing access, thats why you always carry console cable...better safe than sorry ; )

I would also wait for the statement of the TAC.