Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion
Jump to solution

R8x Ports Used for Communication by Various Check Point Modules (new version 2.0)

Introduction

This drawing should give you an overview of the used R80, R81 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall.

Overview

Ports_2.0a.jpg

Download PDF

Download R8x version 2.0:
R8x Ports Used for Communication PDF

SmartConsole Extention


New!

Now I have developed a SmartConsole Extension so that you can view the overview directly in the SmartConsole.
In the Access Policy section in the upper area, there is a tab called "Ports for Modules". More infos here.

Extension URL: https://www.ankenbrand24.de/ex/ports.json

picture_ports_1_6546456.jpg

References

Support Center: Ports used by Check Point software 

Versions

 

Version 2.0:
+ v2.0f new! now with SmartConsole Extension                                02/13/2023
+ v2.0e add LOM port 2048                                                                         01/31/2023
+ v2.0d  add LOM ports                                                                               01/23/2023

+
v2.0c  new colors + design                                                                      01/22/2023
+ v2.0b  best mistake 🙂  SmartDashboard versus SmartConsole     01/22/2023
+ v2.0a correct names : SMS, MDS, SmartConsole, ...                          01/21/2023

old Version 1.9:
+ v1.9a  add port 443 cloud CME  19.03.2022
+
v1.9b  fix port issue 442 cloud CME  22.03.2022

old Version 1.8:
+ v1.8a R81.10 EA update 04.05.2021
+ v1.8b add port 18264 30.05.2021
+ v1.8c R81.10 upgrade 28.07.2021

old Version 1.7:
+ v1.7a R81 EA update 17.07.2021
+ v1.7b bug fix 20.08.2021
+ v1.7c bug fix + new download link 25.06.2021

old Version 1.6:
+ v1.6a add Azure ports 05.05.2020
+ v1.6b add all cloud ports 15.06.2020

old Version 1.5:
+ v1.5a typos corrected 18.09.2019
+ v1.5b port update 26.01.2020

old version 1.4:
+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018
+ v1.4b bug fix 15.04.2018
+ v1.4c CPUSE update 17.04.2018
+ v1.4d legend fixed 17.04.2018
+ v1.4e add SmartLog and SmartView on port 443 20.04.2018
+ v1.4f bug fix 21.05.2018
+ v1.4g bug fix 25.05.2018
+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256  30.05.2018
+ v1.4i add port 259 udp VPN link probeing 12.06.2018
+ v1.4j bug fix 17.06.2018
+ v1.4k add  OSPF/BGP route Sync 25.06.2018
+ v1.4l bug fix routed 29.06.2018
+ v1.4m bug fix tcp/udp ports 03.07.2018
+ v1.4n add port 256 13.07.2018
+ v1.4o bug fix / add TE ports 27.11.2018
+ v1.4p bug fix routed port 2010 23.01.2019
+ v1.4q change to new forum format 16.03.2019

old version 1.3:
+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018
+ v1.3b add routing ports, bug fix designe 28.03.2018
+ v1.3c bug fix, rename ports (old) 29.03.2018
+ v1.3d bug fix 30.03.2018
+ v1.3e fix issue L2TP UDP port 1701

old version 1.1:
+ v1.1a - added r80.xx ports 16.03.2018
+ v1.1b - bug in drawing fixed 17.03.2018
+ v1.1c - add RSA, TACACS, Radius 19.03.2018
+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018
+ v1.1e - add OPSEC -delete R55 ports 21.03.2018
+ v1.1f - bug fix 22.03.2018
+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018

➜ CCSM Elite, CCME, CCTE
(36)
1 Solution

Accepted Solutions
Juan_Carlos
Contributor

No. Security Management Server also needs TCP8211 to connect to log server.

This is not explained in sk52421 but this is what I noticed it on my R80.10 management platform Smiley Happy. If I remember, if TCP8211 if not open, then SmartLog (on the management server) cannot browse logs stored on the log server.

View solution in original post

294 Replies
Ivo_Marques
Contributor

Great stuff!

Thank you for the diagram. It will be helpful.

Maybe you can complement with the connections that are used to update services or signatures, like IPS is the SmartDashboard that goes online if it's a manual update, the application control is the smart center, etc, etc. 

Regards,

Ivo

markus
Explorer

Great job:

@HeikoAnkenbrand 

PhoneBoy
Admin
Admin

Nicely done!

Florian_Winterb
Participant

I think it's great.

Maybe you can get a bigger overview with more balades. I think that's very helpful.

HeikoAnkenbrand
Champion Champion
Champion

I have released a new version 0.9 with the following features:
- VPN connections
- Secure Client
- Update server Check Point
- Sandblast Appliance
- DNS/NTP

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE
(1)
HeikoAnkenbrand
Champion Champion
Champion

Found a small bug in my drawing.
NAT-T is UDP 4500

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE
HeikoAnkenbrand
Champion Champion
Champion

I have released a new version 0.9b with the following features:

- Identity Awareness

- Smart Reporter + Smart Event + Event Agent

- bug fixed

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE
(1)
hong_jungil
Participant
This overview has been missing for a long time.
Keep up the good work!
Kaspars_Zibarts
Employee Employee
Employee

You may add Identity Collector in it Smiley Happy sorry about the diagram "quality work"

HeikoAnkenbrand
Champion Champion
Champion

THX

I will update it in the next version!

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE
PhoneBoy
Admin
Admin

I decided to rename the document.

Hope you don't mind Smiley Happy

HeikoAnkenbrand
Champion Champion
Champion

Identity Collectors is completed!

➜ CCSM Elite, CCME, CCTE
HeikoAnkenbrand
Champion Champion
Champion

Is ok!

Smiley Happy

➜ CCSM Elite, CCME, CCTE
(1)
Kaspars_Zibarts
Employee Employee
Employee

Awesome!

Juan_Carlos
Contributor

Hello,

Thanks, usefull diagram for R77. Would be very interesting for R80.XX! Smiley Happy

We tried to get such information from the Support for R80.10 after we found out that opening 19009 was mandatory between management servers and log servers (DBsync<->CPM).

As per our Diamond Engineer it seems that R&D think it's not necessary to add the information in sk52421... Smiley Sad 

HeikoAnkenbrand
Champion Champion
Champion

THX for this info.

I checked this port 19009. See Wireshark:

I think this is the database query from the DashBoard to the Management Server.

Check Point KB SK says:

I will add the R80.xx ports in the next version.

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE
HeikoAnkenbrand
Champion Champion
Champion

I have added R80 ports.

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE
Juan_Carlos
Contributor

Hello Heiko, I know that SmartConsole R80.10 needs TCP19009 to connect to the management server, this is explained in the sk Smiley Happy

But what the sk does not explains is that all management servers (including dedicated log servers) need to connect to each other using TCP19009. We noticed that when we noticed CPM packets dropped between our management servers (including dedicated log servers).

Juan_Carlos
Contributor

By the way thanks for the new diagram Smiley Happy

Silvia_Day
Contributor

Nice R80 port update!

Florian_Winterb
Participant

You can add routing protokolls.

gateway <—-> bgp, ospf, rip,...

HeikoAnkenbrand
Champion Champion
Champion

I add this in the next version. thx

➜ CCSM Elite, CCME, CCTE
Ben_Losinger
Participant

Hi heiko, such an overview, I have been looking for 10 years 

PhoneBoy
Admin
Admin

To be clear, we've had an SK with the this information for years.

Back in my books, I did have a diagram showing some of this.

This is definitely a more complete diagram.

HeikoAnkenbrand
Champion Champion
Champion

I think Dameon is right about his statement. This information has been available since version 4.0 FW-1 and I have been working with Check Point since version 3.
A very good overview of the ports can also be found in sk52421. This article is available since 12-Aug-2010 and longer.  I have already seen this in version 4.0 at Check Point User Center.

Over the years I have also found many good diagrams in books.

Why do I make a diagram?

I think a picture says more than 1000 words!

Please help us with good ideas to expand the chart.

Thanks in advance.

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE
Juan_Carlos
Contributor

A picture like this one is definitely saying much more than words Smiley Happy

There is also TCP8211 between management servers and log servers.

Hugo_vd_Kooij
Advisor

Is it me. Or am I missing RADIUS itself? And TACACS can also be used to authenticate.

Do you think you can squeze these into the drawing?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
HeikoAnkenbrand
Champion Champion
Champion

Thx

Port 8211 is from R80 Multi-Domain Security Management Server to the Log Server.

I have not yet drawn up any communication for multi-domain management, vsx and 41/61K SyncXL.

But I'll do that in another drawing.Unfortunately, no more objects fit on an A3 sheet. But it will come!

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE
(2)
Ukko_Metsola
Participant

A picture like this one is definitely saying much more than words or port lists.Smiley Happy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events