This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matt_Taber
Contributor
‎2023-10-18 10:02 AM
Jump to solution

R81.20 - iked running while IPSec VPN blade not enabled

Good afternoon 'mates.

We upgraded in place from R80.40 -> R81.20 JHF 26 last night, went very smoothly, cheers to MVC.

While reviewing this morning, I discovered there are new daemons for VPN (https://community.checkpoint.com/t5/General-Topics/New-VPN-daemons-in-R81-10-R81-20/td-p/168785)

What I can't seem to track down anywhere is why are these daemons running if we're don't have the IPSEC VPN blade enabled on the cluster that was upgraded?   We don't use CP for VPN access, so a bit concerned processes that aren't supposed to be enabled are running.

1) Don't worry about it?
2) How to really get them disabled?
3) R80.40 version didn't have the blade enabled either, but we would get alerted when internal pen test ran and connected to the gateways on udp/500.   So they've been listening on a service we don't have enabled for quite some time.

Thanks for your insight.

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2023-10-18 10:42 AM
In response to Matt_Taber
Jump to solution

Well, I learned something new today as well : - )

Yes, it is possible...see below, my lab R81.20 jumbo 26, no vpn blade.

Andy

 

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Top...

 

[Expert@CP-TEST-FIREWALL:0]# enabled_blades
fw urlf appi ips mon
[Expert@CP-TEST-FIREWALL:0]# ps aux|grep ike
admin 7683 0.0 0.0 34916 5484 ? Ss Oct16 2:15 spike_detective
admin 9452 0.1 0.1 258308 42048 ? Sl Oct16 3:40 iked 0
admin 9453 0.1 0.1 258296 41740 ? Sl Oct16 3:36 iked 1
admin 9454 0.1 0.1 258308 41716 ? Sl Oct16 3:40 iked 2
admin 15503 0.0 0.0 2652 568 pts/2 S+ 13:39 0:00 grep --color=auto ike
[Expert@CP-TEST-FIREWALL:0]# vpn iked disable
vpn: disabling 'iked'...
vpn: reconfiguring system...

Installing Security Policy LAB-POLICY on all.all@CP-TEST-FIREWALL
IPS package: Compiled OK.
Fetching Security Policy from local succeeded
vpn: 'iked' is now disabled.

[Expert@CP-TEST-FIREWALL:0]# ps aux|grep ike
admin 7683 0.0 0.0 34916 5484 ? Ss Oct16 2:15 spike_detective
admin 16106 0.0 0.0 2652 572 pts/2 S+ 13:41 0:00 grep --color=auto ike
[Expert@CP-TEST-FIREWALL:0]# fw ver
This is Check Point's software version R81.20 - Build 012
[Expert@CP-TEST-FIREWALL:0]# cpinfo -y fw1

This is Check Point CPinfo Build 914000234 for GAIA
[FW1]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 26
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point's software version R81.20 - Build 012
kernel: R81.20 - Build 014

[Expert@CP-TEST-FIREWALL:0]#

View solution in original post

0 Kudos
9 Replies
the_rock
Legend
Legend
‎2023-10-18 10:15 AM
Jump to solution

Hey @Matt_Taber ,

If you send us the deamons you see, we can check.

Andy

0 Kudos
Matt_Taber
Contributor
‎2023-10-18 10:21 AM
In response to the_rock
Jump to solution

iked and vpnd, but not cccd

 

[Expert@fw3:0]# ps aux|grep ike
admin 5716 0.1 0.1 276956 61676 ? Sl 01:37 0:48 iked 0
admin 5717 0.1 0.1 276900 61232 ? Sl 01:37 0:48 iked 1
admin 5718 0.1 0.1 276668 60888 ? Sl 01:37 0:48 iked 2
admin 5719 0.1 0.1 276944 61288 ? Sl 01:37 0:48 iked 3
admin 5754 0.1 0.1 277112 61336 ? Sl 01:37 0:48 iked 4

[Expert@fw3:0]# ps aux|grep vpn
admin 5715 0.1 0.2 299164 65444 ? SLl 01:37 0:52 vpnd 0

 

[Expert@fw3:0]# ps aux|grep ccc
admin 12953 0.0 0.0 2648 576 pts/2 S+ 13:19 0:00 grep --color=auto ccc

 

Preview file
55 KB
the_rock
Legend
Legend
‎2023-10-18 10:42 AM
In response to Matt_Taber
Jump to solution

Well, I learned something new today as well : - )

Yes, it is possible...see below, my lab R81.20 jumbo 26, no vpn blade.

Andy

 

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Top...

 

[Expert@CP-TEST-FIREWALL:0]# enabled_blades
fw urlf appi ips mon
[Expert@CP-TEST-FIREWALL:0]# ps aux|grep ike
admin 7683 0.0 0.0 34916 5484 ? Ss Oct16 2:15 spike_detective
admin 9452 0.1 0.1 258308 42048 ? Sl Oct16 3:40 iked 0
admin 9453 0.1 0.1 258296 41740 ? Sl Oct16 3:36 iked 1
admin 9454 0.1 0.1 258308 41716 ? Sl Oct16 3:40 iked 2
admin 15503 0.0 0.0 2652 568 pts/2 S+ 13:39 0:00 grep --color=auto ike
[Expert@CP-TEST-FIREWALL:0]# vpn iked disable
vpn: disabling 'iked'...
vpn: reconfiguring system...

Installing Security Policy LAB-POLICY on all.all@CP-TEST-FIREWALL
IPS package: Compiled OK.
Fetching Security Policy from local succeeded
vpn: 'iked' is now disabled.

[Expert@CP-TEST-FIREWALL:0]# ps aux|grep ike
admin 7683 0.0 0.0 34916 5484 ? Ss Oct16 2:15 spike_detective
admin 16106 0.0 0.0 2652 572 pts/2 S+ 13:41 0:00 grep --color=auto ike
[Expert@CP-TEST-FIREWALL:0]# fw ver
This is Check Point's software version R81.20 - Build 012
[Expert@CP-TEST-FIREWALL:0]# cpinfo -y fw1

This is Check Point CPinfo Build 914000234 for GAIA
[FW1]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 26
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point's software version R81.20 - Build 012
kernel: R81.20 - Build 014

[Expert@CP-TEST-FIREWALL:0]#

0 Kudos
Matt_Taber
Contributor
‎2023-10-18 11:06 AM
In response to the_rock
Jump to solution

Appreciate you running that down!   I will disable iked during a future maintenance window.   

However, the gateways are still listening on udp/500 udp/4500 and tcp/444 via vpnd.   I don't see a way to disable vpnd via CLI.  Would it be safe to comment out this line from $FWDIR/conf/fwauthd.conf:

0 vpn vpnd respawn 0

I find it concerning that the gateways would still listen on ports that aren't configured to be enabled via a blade.  We have no need for UDP/500 or 4500 on these units.

Thank you again!

0 Kudos
Matt_Taber
Contributor
‎2023-10-20 08:28 AM
In response to the_rock
Jump to solution

Apparently my searching ability is subpar, thank you AGAIN for tracking this information down.   Much appreciated.  We do run Identity Awareness.  Crazy that vpnd is responsible for the different portals.

 

[Expert@fw4:0]# for i in `mpclient list`; do echo $i ; mpclient status $i; done
DLPSenderPortal
Portal is running
SecurePlatform
Portal is running
UserCheck
Portal is running
ZeroPhishing
Portal is running
nac
Portal is running
nac_transparent_auth
Portal is running
saml-vpn
Portal is not running

[Expert@fw4:0]# for i in `mpclient list`; do echo $i ; mpclient getdata $i; done
DLPSenderPortal
Portal is not configured yet
SecurePlatform
Portal path prefix '' port 49927 hostname 'redacted' priority 10 encrypted 1
UserCheck
Portal path prefix '/UserCheck' port 56645 hostname 'redacted' priority 1000 encrypted 0
ZeroPhishing
Portal is not configured yet
nac
Portal is not configured yet
nac_transparent_auth
Portal is not configured yet
saml-vpn
Portal is not configured yet

I'll see if I can track down a way to disable udp/500 and 4500 from listening w/o impacting the portals.

 

the_rock
Legend
Legend
‎2023-10-20 11:03 AM
In response to Matt_Taber
Jump to solution

No problem at all, glad we can help. I would be careful when it comes to disabling anything to do with multi-portal, as it may cause you more headache.

Cheers,

Andy

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2023-10-20 11:36 AM
In response to Matt_Taber
Jump to solution

Hi @Matt_Taber,

From version R81, the VPND has been replaced in many points by the IKED. You can read more in my article "New VPN daemons in R81.10 / R81.20 ". If a multiportal service other than  - GAIA Portal corresponds to SecurePlatform -  is started, the IKED - for older versions R80.40 and lower the VPND - is always started. The background is that the IKED is also responsible for certificate negotiation.

PS:
I think Check Point should revise the following sk109172 here. Unfortunately, only the VPND is described in this sk.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
_Val_
Admin
Admin
‎2024-06-01 06:30 AM
In response to Matt_Taber
Jump to solution

Attention, quoting from Important security update - stay protected against VPN Information Disclosure (CVE-2024-24919)

 

In R81.10 we added a feature to improve VPN performance - named CCCD

This feature is disabled by default, and we know about few advanced customers who are using it.

Customers who enable CCCD are still vulnerable to CVE-2024-24919 even after installing the Hotfix!

YOU MUST DISABLE CCCD TO BECOME PROTECTED!

Instructions below and also on SK182336:

 

Run the command: vpn cccd status
The expected output is: vpn: 'cccd' is disabled.

If the output differs, stop the CCCD process by running the vpn cccd disable command.

More info by the link above.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events