Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion
Jump to solution

R8x Ports Used for Communication by Various Check Point Modules (new version 2.1)

Introduction

This drawing should give you an overview of the used R80, R81 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall.

Overview

Ports.png

Download PDF

Download R8x version 2.0:
R8x Ports Used for Communication PDF

SmartConsole Extention


New!

Now I have developed a SmartConsole Extension so that you can view the overview directly in the SmartConsole.
In the Access Policy section in the upper area, there is a tab called "Ports for Modules". More infos here.

Extension URL: https://www.ankenbrand24.de/ex/ports.json

picture_ports_1_6546456.jpg

References

Support Center: Ports used by Check Point software 

Versions

 

Version 2.1:
+ v2.1b  all new R82 ports (IA + RA VPN ikev2)                                      10/29/2024
+ v2.1a  all new R81.20 ports (Cloudguard + VPN + ClusterXL)           07/15/2024

old Version 2.0:
+ v2.0f new! now with SmartConsole Extension                                02/13/2023
+ v2.0e add LOM port 2048                                                                         01/31/2023
+ v2.0d  add LOM ports                                                                               01/23/2023

+
v2.0c  new colors + design                                                                      01/22/2023
+ v2.0b  best mistake 🙂  SmartDashboard versus SmartConsole     01/22/2023
+ v2.0a correct names : SMS, MDS, SmartConsole, ...                          01/21/2023

old Version 1.9:
+ v1.9a  add port 443 cloud CME  19.03.2022
+
v1.9b  fix port issue 442 cloud CME  22.03.2022

old Version 1.8:
+ v1.8a R81.10 EA update 04.05.2021
+ v1.8b add port 18264 30.05.2021
+ v1.8c R81.10 upgrade 28.07.2021

old Version 1.7:
+ v1.7a R81 EA update 17.07.2021
+ v1.7b bug fix 20.08.2021
+ v1.7c bug fix + new download link 25.06.2021

old Version 1.6:
+ v1.6a add Azure ports 05.05.2020
+ v1.6b add all cloud ports 15.06.2020

old Version 1.5:
+ v1.5a typos corrected 18.09.2019
+ v1.5b port update 26.01.2020

old version 1.4:
+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018
+ v1.4b bug fix 15.04.2018
+ v1.4c CPUSE update 17.04.2018
+ v1.4d legend fixed 17.04.2018
+ v1.4e add SmartLog and SmartView on port 443 20.04.2018
+ v1.4f bug fix 21.05.2018
+ v1.4g bug fix 25.05.2018
+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256  30.05.2018
+ v1.4i add port 259 udp VPN link probeing 12.06.2018
+ v1.4j bug fix 17.06.2018
+ v1.4k add  OSPF/BGP route Sync 25.06.2018
+ v1.4l bug fix routed 29.06.2018
+ v1.4m bug fix tcp/udp ports 03.07.2018
+ v1.4n add port 256 13.07.2018
+ v1.4o bug fix / add TE ports 27.11.2018
+ v1.4p bug fix routed port 2010 23.01.2019
+ v1.4q change to new forum format 16.03.2019

old version 1.3:
+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018
+ v1.3b add routing ports, bug fix designe 28.03.2018
+ v1.3c bug fix, rename ports (old) 29.03.2018
+ v1.3d bug fix 30.03.2018
+ v1.3e fix issue L2TP UDP port 1701

old version 1.1:
+ v1.1a - added r80.xx ports 16.03.2018
+ v1.1b - bug in drawing fixed 17.03.2018
+ v1.1c - add RSA, TACACS, Radius 19.03.2018
+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018
+ v1.1e - add OPSEC -delete R55 ports 21.03.2018
+ v1.1f - bug fix 22.03.2018
+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(42)
308 Replies
HeikoAnkenbrand
Champion Champion
Champion

add port 18264

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Amoli
Participant

Nice solution
Thanks

0 Kudos
Reimar_W
Participant

Still missing port 18164.

0 Kudos
T_Westwood
Participant

top

0 Kudos
Reimar_W
Participant

great

0 Kudos
HO
Participant

Is there a pdf version?

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Now with R81.10 port update.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
rami
Participant

nice👍

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Now with R81.10 port update.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Nils
Explorer

Nice 👍

0 Kudos
Venkata
Participant

Hanging as a poster at my workplace.
Thank you!

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Add port 443 cloud CME

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion

v1.9b  fix port issue 442 cloud CME

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
S_Henrioud
Explorer

Hello @HeikoAnkenbrand ,

I'm studying for CCSE R81.10 and your diagram is useful. It's a must have, I print it and use it everyday. Two questions for you :

I don't see anything about port tcp 18209 and CDT in you diagram (or Am I blind ?)

Here is the info that I have in the CCSE manual :

System Administrators can automatically install CPUSE offline packages on multiple Security
Gateways and cluster members at the same time using the Central Deployment Tool (CDT).
The CDT is a utility that runs on Gaia operating system Security Management Servers and
Multi-Domain Servers using software versions R77.30 and higher. The tool communicates
with gateways and cluster members over SIC via TCP port 18209.

 

And also can you add the fact that VRRP use multicast ip address 224.0.0.18 ?

 

Thanks and best regards

Mikael
Employee Employee
Employee

Found an outbound CPMI (TCP/18190) to fortune.checkpoint.com when I clicked "Report Log to Check Point" in log details...

Might be good to know...

Great resource!

0 Kudos
Florian_Schneid
Participant

Hi,

first of thanks for that helpful chart!
I just noticed that initiating initial SIC requires 443 from management to the Gateway. But that is not included in the drawing.

br

Florian

0 Kudos
_Val_
Admin
Admin

Funny that after so many years, the diagram still says SmartDashboard and not SmartConsole, although showing CPM TCP port 19009, which is explicitly used by the latter. 

HeikoAnkenbrand
Champion Champion
Champion

Yes, the names were 8 years old and no one had noticed this 🙂

I have changed that.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
lars_e
Explorer

Great stuff!

0 Kudos
oli007
Participant

nice

0 Kudos
zr4
Participant

Are these the implied roles?

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @zr4,

these are not the implied rules but an overview of almost all ports that Check Point uses for its communication between the systems.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

All LOM Prots are now included in the overview.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Dolo
Participant
0 Kudos
David_C1
Advisor

Really love this chart. If only every vendor published something like this so we could write accurate firewall policy for their products...

I do not see TCP 18265 on the chart for the ICA portal. Just a suggestion.

Dave

ODO
Participant

Top!

0 Kudos
CheckPointerXL
Advisor
Advisor

Hi all,

i see that my Domains Log Server  are trying to contact the gateways on port 256... i cannot see any documentation about this flow, any help?

0 Kudos
PhoneBoy
Admin
Admin

According to the official documentation:

Connections to Security Gateway Service (to FWD daemon):

  • Fetching topology information by Security Gateway (by FWD daemon) from Security Management Server or Domain Management Server (CMA)
  • Full Synchronization between ClusterXL members in versions R80.40 and lower
    (To perform a Full Sync with a peer cluster member, the FWD daemon on a cluster member connects to the TCP port 256 on the peer cluster member)
  • IPS packet capture

Only the last one of these makes sense in this situation.
The packet captures are stored on the gateway and retrieved by the management/log server on request.

CheckPointerXL
Advisor
Advisor

I already read that docs... yes, probably i underrated that point, of course is not intuitive

Thank you

0 Kudos
PhoneBoy
Admin
Admin

I happen to be familiar with the IPS packet capture thing as I was working with a customer some years ago on fetching the IPS packet capture from the CLI. 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events