- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: R8x Ports Used for Communication by Various Ch...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R8x Ports Used for Communication by Various Check Point Modules (new version 2.1)
Introduction |
---|
This drawing should give you an overview of the used R80, R81 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall.
Overview |
---|
Download PDF |
---|
Download R8x version 2.0:
R8x Ports Used for Communication PDF
SmartConsole Extention |
---|
New!
Now I have developed a SmartConsole Extension so that you can view the overview directly in the SmartConsole.
In the Access Policy section in the upper area, there is a tab called "Ports for Modules". More infos here.
Extension URL: https://www.ankenbrand24.de/ex/ports.json
References |
---|
Support Center: Ports used by Check Point software
Versions |
---|
Version 2.1:
+ v2.1b all new R82 ports (IA + RA VPN ikev2) 10/29/2024
+ v2.1a all new R81.20 ports (Cloudguard + VPN + ClusterXL) 07/15/2024
old Version 2.0:
+ v2.0f new! now with SmartConsole Extension 02/13/2023
+ v2.0e add LOM port 2048 01/31/2023
+ v2.0d add LOM ports 01/23/2023
+ v2.0c new colors + design 01/22/2023
+ v2.0b best mistake 🙂 SmartDashboard versus SmartConsole 01/22/2023
+ v2.0a correct names : SMS, MDS, SmartConsole, ... 01/21/2023
old Version 1.9:
+ v1.9a add port 443 cloud CME 19.03.2022
+ v1.9b fix port issue 442 cloud CME 22.03.2022
old Version 1.8:
+ v1.8a R81.10 EA update 04.05.2021
+ v1.8b add port 18264 30.05.2021
+ v1.8c R81.10 upgrade 28.07.2021
old Version 1.7:
+ v1.7a R81 EA update 17.07.2021
+ v1.7b bug fix 20.08.2021
+ v1.7c bug fix + new download link 25.06.2021
old Version 1.6:
+ v1.6a add Azure ports 05.05.2020
+ v1.6b add all cloud ports 15.06.2020
old Version 1.5:
+ v1.5a typos corrected 18.09.2019
+ v1.5b port update 26.01.2020
old version 1.4:
+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018
+ v1.4b bug fix 15.04.2018
+ v1.4c CPUSE update 17.04.2018
+ v1.4d legend fixed 17.04.2018
+ v1.4e add SmartLog and SmartView on port 443 20.04.2018
+ v1.4f bug fix 21.05.2018
+ v1.4g bug fix 25.05.2018
+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256 30.05.2018
+ v1.4i add port 259 udp VPN link probeing 12.06.2018
+ v1.4j bug fix 17.06.2018
+ v1.4k add OSPF/BGP route Sync 25.06.2018
+ v1.4l bug fix routed 29.06.2018
+ v1.4m bug fix tcp/udp ports 03.07.2018
+ v1.4n add port 256 13.07.2018
+ v1.4o bug fix / add TE ports 27.11.2018
+ v1.4p bug fix routed port 2010 23.01.2019
+ v1.4q change to new forum format 16.03.2019
old version 1.3:
+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018
+ v1.3b add routing ports, bug fix designe 28.03.2018
+ v1.3c bug fix, rename ports (old) 29.03.2018
+ v1.3d bug fix 30.03.2018
+ v1.3e fix issue L2TP UDP port 1701
old version 1.1:
+ v1.1a - added r80.xx ports 16.03.2018
+ v1.1b - bug in drawing fixed 17.03.2018
+ v1.1c - add RSA, TACACS, Radius 19.03.2018
+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018
+ v1.1e - add OPSEC -delete R55 ports 21.03.2018
+ v1.1f - bug fix 22.03.2018
+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018
- Tags:
- ad
- backup
- blades
- ccp
- clusterxl
- cmi
- communication
- dashboard
- dhcp
- dns
- dynamic routing
- edge
- endpoint vpn
- esp
- event agent
- ftp
- gateway
- ha_info
- http
- ia
- icap
- identity awareness
- identity collector
- ike
- implied rules
- infrastructure
- ise
- ldap
- log
- lom
- modules
- nat-t
- nat-tranversal
- netflow
- ntp
- opsec
- ospf
- performance
- ports
- r80
- r80.10
- r80.10 gateway
- r80.10 management
- r80.20
- R81
- r81.10
- radius
- rdp
- route
- routed
- router
- routing
- rsa
- sandblast
- secure client
- secure gateway
- security management
- smart event
- smart reporter
- smartdomain manager
- smtp
- snmp
- software blades
- tacacs
- threat prevnetion
- threatemulation
- used ports
- utm-1
- vpn
- vrrp
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
add port 18264
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice solution
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still missing port 18164.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
top
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
great
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a pdf version?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now with R81.10 port update.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nice👍
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now with R81.10 port update.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice 👍
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hanging as a poster at my workplace.
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add port 443 cloud CME
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
v1.9b fix port issue 442 cloud CME
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @HeikoAnkenbrand ,
I'm studying for CCSE R81.10 and your diagram is useful. It's a must have, I print it and use it everyday. Two questions for you :
I don't see anything about port tcp 18209 and CDT in you diagram (or Am I blind ?)
Here is the info that I have in the CCSE manual :
System Administrators can automatically install CPUSE offline packages on multiple Security
Gateways and cluster members at the same time using the Central Deployment Tool (CDT).
The CDT is a utility that runs on Gaia operating system Security Management Servers and
Multi-Domain Servers using software versions R77.30 and higher. The tool communicates
with gateways and cluster members over SIC via TCP port 18209.
And also can you add the fact that VRRP use multicast ip address 224.0.0.18 ?
Thanks and best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found an outbound CPMI (TCP/18190) to fortune.checkpoint.com when I clicked "Report Log to Check Point" in log details...
Might be good to know...
Great resource!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
first of thanks for that helpful chart!
I just noticed that initiating initial SIC requires 443 from management to the Gateway. But that is not included in the drawing.
br
Florian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Funny that after so many years, the diagram still says SmartDashboard and not SmartConsole, although showing CPM TCP port 19009, which is explicitly used by the latter.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the names were 8 years old and no one had noticed this 🙂
I have changed that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great stuff!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nice
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are these the implied roles?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @zr4,
these are not the implied rules but an overview of almost all ports that Check Point uses for its communication between the systems.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All LOM Prots are now included in the overview.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Top @HeikoAnkenbrand
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Really love this chart. If only every vendor published something like this so we could write accurate firewall policy for their products...
I do not see TCP 18265 on the chart for the ICA portal. Just a suggestion.
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Top!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
i see that my Domains Log Server are trying to contact the gateways on port 256... i cannot see any documentation about this flow, any help?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to the official documentation:
Connections to Security Gateway Service (to FWD daemon):
- Fetching topology information by Security Gateway (by FWD daemon) from Security Management Server or Domain Management Server (CMA)
- Full Synchronization between ClusterXL members in versions R80.40 and lower
(To perform a Full Sync with a peer cluster member, the FWD daemon on a cluster member connects to the TCP port 256 on the peer cluster member) - IPS packet capture
Only the last one of these makes sense in this situation.
The packet captures are stored on the gateway and retrieved by the management/log server on request.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already read that docs... yes, probably i underrated that point, of course is not intuitive
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I happen to be familiar with the IPS packet capture thing as I was working with a customer some years ago on fetching the IPS packet capture from the CLI. 🙂
