Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion
Champion

R80.x Ports Used for Communication by Various Check Point Modules

Introduction

This drawing should give you an overview of the used R80 and R77 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall.

Overview

Ports_1.6a.JPG

Download

Download: R80.x Ports Used for Communication PDF (new R80.30 version)

Chapter

More interesting articles:

- R80.x Architecture and Performance Tuning - Link Collection
- Article list (Heiko Ankenbrand)

References

Support Center: Ports used by Check Point software 

Versions

 

Version 1.7:
+ v1.7a R81 EA update 17.07.2020
+ v1.7b bug fix 20.08.2020

old Version 1.6:
+ v1.6a add Azure ports 05.05.2020
+ v1.6b add all cloud ports 15.06.2020

old Version 1.5:
+ v1.5a typos corrected 18.09.2019
+ v1.5b port update 26.01.2020

old version 1.4:
+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018
+ v1.4b bug fix 15.04.2018
+ v1.4c CPUSE update 17.04.2018
+ v1.4d legend fixed 17.04.2018
+ v1.4e add SmartLog and SmartView on port 443 20.04.2018
+ v1.4f bug fix 21.05.2018
+ v1.4g bug fix 25.05.2018
+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256  30.05.2018
+ v1.4i add port 259 udp VPN link probeing 12.06.2018
+ v1.4j bug fix 17.06.2018
+ v1.4k add  OSPF/BGP route Sync 25.06.2018
+ v1.4l bug fix routed 29.06.2018
+ v1.4m bug fix tcp/udp ports 03.07.2018
+ v1.4n add port 256 13.07.2018
+ v1.4o bug fix / add TE ports 27.11.2018
+ v1.4p bug fix routed port 2010 23.01.2019
+ v1.4q change to new forum format 16.03.2019

old version 1.3:
+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018
+ v1.3b add routing ports, bug fix designe 28.03.2018
+ v1.3c bug fix, rename ports (old) 29.03.2018
+ v1.3d bug fix 30.03.2018
+ v1.3e fix issue L2TP UDP port 1701

old version 1.1:
+ v1.1a - added r80.xx ports 16.03.2018
+ v1.1b - bug in drawing fixed 17.03.2018
+ v1.1c - add RSA, TACACS, Radius 19.03.2018
+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018
+ v1.1e - add OPSEC -delete R55 ports 21.03.2018
+ v1.1f - bug fix 22.03.2018
+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018

 

 

266 Replies
Maria_Pologova
Collaborator

Not sure if anybody said that already, but FW1_ica_services (tcp 18264) is missing in communication between SmartConsole and Management server. Also, not sure if 18210 is being used in that communacation. 

0 Kudos
Reply
C2
Explorer

That's indeed an omission from this otherwise great diagram. Note that tcp 18264 on the management is also accessed by gateways when they check for a CRL (they do this when runnig certificate based centrally managed VPN). With default settings and without access to the CRL, VPN connections fail with "invalid certificate".

0 Kudos
Reply
Tsvika_Gilman
Contributor

You have written very interesting articles here in Checkmates forum.

Thank you
Tsvika

0 Kudos
Reply
Jodus
Explorer

Hi,

Really useful diagram, one to keep for sure.

I have a question regarding Endpoint Security VPN (formerly SecureClient), when creating the VPN sites the only way it would work is if I enabled visitor mode on the gateway. All appears to be working fine after creating the sites however I only ever see incoming 443 and UDP 4500, never see IKE over TCP or UDP, or ESP, is this behaviour right?

I assume the desktop policy doenloaded from the policy server now runs over 443 too?

Thanks!

Delia_Pele
Explorer

Great job @HeikoAnkenbrand .

guesstimation
Participant

Great post!

How about Dedicated log server <> GW communication? Does this type communication needs MGMT<>GW ports? or narrower subset is enough?

0 Kudos
Reply
Isabel_Brenner
Participant

nice

0 Kudos
Reply
sabil
Participant

great job

0 Kudos
Reply
Martin_Stolz
Participant

Hello Heiko!

Great diagram!


Regarding sk119134,
  TCP 18264 should been added between SmartConsole and CPMgmt/MDM

That port allows SmartConsole to download CRLs from Management
and avoids the "CRLs failed to be downloaded"-issue during SmartConsole start.

Ciao Martin

HeikoAnkenbrand
Champion
Champion

New ports updated.

HeikoAnkenbrand
Champion
Champion

Old R77.30 ports removed.

Tsvika_Gilman
Contributor

great job

0 Kudos
Reply
R80
Explorer

nice port overview

0 Kudos
Reply
James_T_Kirk
Participant

Great!

0 Kudos
Reply
ute
Participant

👍

0 Kudos
Reply
HeikoAnkenbrand
Champion
Champion

+v1.5b port update 26.01.2020

Steven_Sultana
Participant

I might be missing it, but I believe there is the following port missing from this diagram:

TCP 18264 - FW1_ica_services

When establishing a centrally-managed certificate-authenticated VPN tunnel, the gateways check the CRL over this port in plaintext (since tunnel is not yet up).

 

Thanks for the awesome diagram!!

Steven.

0 Kudos
Reply
Amit_Singh
Participant

Hi 

I am looking at version v1.5 cant see 18209 is this missing 

rolf
Participant

nice

H_W
Participant

Hi @HeikoAnkenbrand 

Hangs as a poster on my wall.

 

peter_baumg
Explorer

nice👍

0 Kudos
Reply
Ute1
Explorer

Great job @HeikoAnkenbrand 

0 Kudos
Reply
mike123
Participant

👍

0 Kudos
Reply
HeikoAnkenbrand
Champion
Champion

Now with all new R80.40 ports.

Th-Chi
Participant

Nice picture!
0 Kudos
Reply
HeikoAnkenbrand
Champion
Champion

Now with R80.40 update.

HeikoAnkenbrand
Champion
Champion

Azure ports update - 05.05.2020

Calvin_Piggott
Participant

This is an awesome diagram, much appreciated @HeikoAnkenbrand 

I'm very interested in the R80.40 and Azure update as I'm currently having some communication issues between on prem management and CloudGuard IaaS (Azure)

mike123
Participant

nice

 

0 Kudos
Reply
HeikoAnkenbrand
Champion
Champion

Now with cloud update!

0 Kudos
Reply