Solved: Re: R8x Ports Used for Communication by Various Ch... - Page 10

HeikoAnkenbrand · ‎2018-03-01

Introduction

This drawing should give you an overview of the used R80, R81 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall.

Overview

Download PDF

Download R8x version 2.0:
R8x Ports Used for Communication PDF

SmartConsole Extention

New!

Now I have developed a SmartConsole Extension so that you can view the overview directly in the SmartConsole.
In the Access Policy section in the upper area, there is a tab called "Ports for Modules". More infos here.

Extension URL: https://www.ankenbrand24.de/ex/ports.json

References

Support Center: Ports used by Check Point software

Versions

Version 2.1:
+ v2.1b all new R82 ports (IA + RA VPN ikev2) 10/29/2024
+ v2.1a all new R81.20 ports (Cloudguard + VPN + ClusterXL) 07/15/2024

old Version 2.0:
+ v2.0f new! now with SmartConsole Extension                                02/13/2023
+ v2.0e add LOM port 2048                                                                       01/31/2023
+ v2.0d add LOM ports                                                           01/23/2023
+ v2.0c new colors + design                                                                      01/22/2023
+ v2.0b best mistake 🙂 SmartDashboard versus SmartConsole     01/22/2023
+ v2.0a correct names : SMS, MDS, SmartConsole, ...                          01/21/2023

old Version 1.9:
+ v1.9a add port 443 cloud CME 19.03.2022
+ v1.9b fix port issue 442 cloud CME 22.03.2022

old Version 1.8:
+ v1.8a R81.10 EA update 04.05.2021
+ v1.8b add port 18264 30.05.2021
+ v1.8c R81.10 upgrade 28.07.2021

old Version 1.7:
+ v1.7a R81 EA update 17.07.2021
+ v1.7b bug fix 20.08.2021
+ v1.7c bug fix + new download link 25.06.2021

old Version 1.6:
+ v1.6a add Azure ports 05.05.2020
+ v1.6b add all cloud ports 15.06.2020

old Version 1.5:
+ v1.5a typos corrected 18.09.2019
+ v1.5b port update 26.01.2020

old version 1.4:
+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018
+ v1.4b bug fix 15.04.2018
+ v1.4c CPUSE update 17.04.2018
+ v1.4d legend fixed 17.04.2018
+ v1.4e add SmartLog and SmartView on port 443 20.04.2018
+ v1.4f bug fix 21.05.2018
+ v1.4g bug fix 25.05.2018
+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256 30.05.2018
+ v1.4i add port 259 udp VPN link probeing 12.06.2018
+ v1.4j bug fix 17.06.2018
+ v1.4k add OSPF/BGP route Sync 25.06.2018
+ v1.4l bug fix routed 29.06.2018
+ v1.4m bug fix tcp/udp ports 03.07.2018
+ v1.4n add port 256 13.07.2018
+ v1.4o bug fix / add TE ports 27.11.2018
+ v1.4p bug fix routed port 2010 23.01.2019
+ v1.4q change to new forum format 16.03.2019

old version 1.3:
+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018
+ v1.3b add routing ports, bug fix designe 28.03.2018
+ v1.3c bug fix, rename ports (old) 29.03.2018
+ v1.3d bug fix 30.03.2018
+ v1.3e fix issue L2TP UDP port 1701

old version 1.1:
+ v1.1a - added r80.xx ports 16.03.2018
+ v1.1b - bug in drawing fixed 17.03.2018
+ v1.1c - add RSA, TACACS, Radius 19.03.2018
+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018
+ v1.1e - add OPSEC -delete R55 ports 21.03.2018
+ v1.1f - bug fix 22.03.2018
+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

HeikoAnkenbrand · ‎2021-05-31

add port 18264

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Amoli · ‎2021-06-02

Nice solution
Thanks

Reimar_W · ‎2021-06-20

Still missing port 18164.

T_Westwood · ‎2021-07-03

top

Reimar_W · ‎2021-07-15

great

HO · ‎2021-07-24

Is there a pdf version?

HeikoAnkenbrand · ‎2021-07-28

Now with R81.10 port update.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

rami · ‎2021-08-04

nice👍

HeikoAnkenbrand · ‎2021-08-19

Now with R81.10 port update.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Nils · ‎2021-10-02

Nice 👍

Venkata · ‎2021-12-28

Hanging as a poster at my workplace.
Thank you!

HeikoAnkenbrand · ‎2022-03-19

Add port 443 cloud CME

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

HeikoAnkenbrand · ‎2022-03-22

v1.9b fix port issue 442 cloud CME

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

S_Henrioud · ‎2022-07-14

Hello @HeikoAnkenbrand ,

I'm studying for CCSE R81.10 and your diagram is useful. It's a must have, I print it and use it everyday. Two questions for you :

I don't see anything about port tcp 18209 and CDT in you diagram (or Am I blind ?)

Here is the info that I have in the CCSE manual :

System Administrators can automatically install CPUSE offline packages on multiple Security
Gateways and cluster members at the same time using the Central Deployment Tool (CDT).
The CDT is a utility that runs on Gaia operating system Security Management Servers and
Multi-Domain Servers using software versions R77.30 and higher. The tool communicates
with gateways and cluster members over SIC via TCP port 18209.

And also can you add the fact that VRRP use multicast ip address 224.0.0.18 ?

Thanks and best regards

Mikael · ‎2022-12-05

Found an outbound CPMI (TCP/18190) to fortune.checkpoint.com when I clicked "Report Log to Check Point" in log details...

Might be good to know...

Great resource!

Florian_Schneid · ‎2023-01-04

Hi,

first of thanks for that helpful chart!
I just noticed that initiating initial SIC requires 443 from management to the Gateway. But that is not included in the drawing.

br

Florian

_Val_ · ‎2023-01-23

Funny that after so many years, the diagram still says SmartDashboard and not SmartConsole, although showing CPM TCP port 19009, which is explicitly used by the latter.

HeikoAnkenbrand · ‎2023-01-23

Yes, the names were 8 years old and no one had noticed this 🙂

I have changed that.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

lars_e · ‎2023-01-23

Great stuff!

oli007 · ‎2023-01-24

nice

zr4 · ‎2023-01-25

Are these the implied roles?

HeikoAnkenbrand · ‎2023-01-27

Hi @zr4,

these are not the implied rules but an overview of almost all ports that Check Point uses for its communication between the systems.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

HeikoAnkenbrand · ‎2023-01-31

All LOM Prots are now included in the overview.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Dolo · ‎2023-02-03

Top @HeikoAnkenbrand

David_C1 · ‎2023-02-17

Really love this chart. If only every vendor published something like this so we could write accurate firewall policy for their products...

I do not see TCP 18265 on the chart for the ICA portal. Just a suggestion.

Dave

ODO · ‎2024-05-31

Top!

CheckPointerXL · ‎2024-08-01

Hi all,

i see that my Domains Log Server are trying to contact the gateways on port 256... i cannot see any documentation about this flow, any help?

PhoneBoy · ‎2024-08-01

According to the official documentation:

Connections to Security Gateway Service (to FWD daemon):

Fetching topology information by Security Gateway (by FWD daemon) from Security Management Server or Domain Management Server (CMA)
Full Synchronization between ClusterXL members in versions R80.40 and lower
(To perform a Full Sync with a peer cluster member, the FWD daemon on a cluster member connects to the TCP port 256 on the peer cluster member)
IPS packet capture

Only the last one of these makes sense in this situation.
The packet captures are stored on the gateway and retrieved by the management/log server on request.

CheckPointerXL · ‎2024-08-01

I already read that docs... yes, probably i underrated that point, of course is not intuitive

Thank you

PhoneBoy · ‎2024-08-01

I happen to be familiar with the IPS packet capture thing as I was working with a customer some years ago on fetching the IPS packet capture from the CLI. 🙂

Are you a member of CheckMates?

R8x Ports Used for Communication by Various Check Point Modules (new version 2.1)