Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
| Introduction |
|---|
This drawing should give you an overview of the used R80, R81 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall.
| Overview |
|---|
| Download PDF |
|---|
Download R8x version 2.0:
R8x Ports Used for Communication PDF
| SmartConsole Extention |
|---|
New!
Now I have developed a SmartConsole Extension so that you can view the overview directly in the SmartConsole.
In the Access Policy section in the upper area, there is a tab called "Ports for Modules". More infos here.
Extension URL: https://www.ankenbrand24.de/ex/ports.json
| References |
|---|
Support Center: Ports used by Check Point software
| Versions |
|---|
Version 2.1:
+ v2.1b all new R82 ports (IA + RA VPN ikev2) 10/29/2024
+ v2.1a all new R81.20 ports (Cloudguard + VPN + ClusterXL) 07/15/2024
old Version 2.0:
+ v2.0f new! now with SmartConsole Extension 02/13/2023
+ v2.0e add LOM port 2048 01/31/2023
+ v2.0d add LOM ports 01/23/2023
+ v2.0c new colors + design 01/22/2023
+ v2.0b best mistake 🙂 SmartDashboard versus SmartConsole 01/22/2023
+ v2.0a correct names : SMS, MDS, SmartConsole, ... 01/21/2023
old Version 1.9:
+ v1.9a add port 443 cloud CME 19.03.2022
+ v1.9b fix port issue 442 cloud CME 22.03.2022
old Version 1.8:
+ v1.8a R81.10 EA update 04.05.2021
+ v1.8b add port 18264 30.05.2021
+ v1.8c R81.10 upgrade 28.07.2021
old Version 1.7:
+ v1.7a R81 EA update 17.07.2021
+ v1.7b bug fix 20.08.2021
+ v1.7c bug fix + new download link 25.06.2021
old Version 1.6:
+ v1.6a add Azure ports 05.05.2020
+ v1.6b add all cloud ports 15.06.2020
old Version 1.5:
+ v1.5a typos corrected 18.09.2019
+ v1.5b port update 26.01.2020
old version 1.4:
+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018
+ v1.4b bug fix 15.04.2018
+ v1.4c CPUSE update 17.04.2018
+ v1.4d legend fixed 17.04.2018
+ v1.4e add SmartLog and SmartView on port 443 20.04.2018
+ v1.4f bug fix 21.05.2018
+ v1.4g bug fix 25.05.2018
+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256 30.05.2018
+ v1.4i add port 259 udp VPN link probeing 12.06.2018
+ v1.4j bug fix 17.06.2018
+ v1.4k add OSPF/BGP route Sync 25.06.2018
+ v1.4l bug fix routed 29.06.2018
+ v1.4m bug fix tcp/udp ports 03.07.2018
+ v1.4n add port 256 13.07.2018
+ v1.4o bug fix / add TE ports 27.11.2018
+ v1.4p bug fix routed port 2010 23.01.2019
+ v1.4q change to new forum format 16.03.2019
old version 1.3:
+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018
+ v1.3b add routing ports, bug fix designe 28.03.2018
+ v1.3c bug fix, rename ports (old) 29.03.2018
+ v1.3d bug fix 30.03.2018
+ v1.3e fix issue L2TP UDP port 1701
old version 1.1:
+ v1.1a - added r80.xx ports 16.03.2018
+ v1.1b - bug in drawing fixed 17.03.2018
+ v1.1c - add RSA, TACACS, Radius 19.03.2018
+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018
+ v1.1e - add OPSEC -delete R55 ports 21.03.2018
+ v1.1f - bug fix 22.03.2018
+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018
No. Security Management Server also needs TCP8211 to connect to log server.
This is not explained in sk52421 but this is what I noticed it on my R80.10 management platform 
. If I remember, if TCP8211 if not open, then SmartLog (on the management server) cannot browse logs stored on the log server.
You're welcome 
Maybe you could propose your drawing to R&D ^^
Why the arrow for FW1 in left part of Smart Center is pale grey? Because it is for old software only, I suppose. Maybe it would be a good thing to delete it at all, as version 4 is way out of support. Or your intend is to include all known ports which are visible in services?
I saw one version with legend for the drawing, with explanations of why colors for arrows are different. I think it would be better to have it on the drawing. Does it add too much tricky situations? But then why there are different colors of arrows?
There is also ICMP ping between members of cluster for lowest / highest VLAN checking.
What about DHCP ? udp_67, udp_68 ? Communication for DHCP server / Client.
In case backups from GW or SC are set, relevant ports are ftp, ssh (scp), tfp towards backup server / management.
Access to GUI DashBoard is done via CPMI and access to CMA / SMS via GuiDBedit is done via tcp_18190. (maybe you can add PC at very left, it will represent end user PC with SmartConsole installed)
Not sure if IGMP is relevant here, but this is also passing between GW nodes.
PS: The legend field (in purple) at the bottom of the drawing is not visible at all. Looks it is just picture inserted ?
Heiko Ankenbrand, here are my suggestions on design and blocks placement. You can take any ideas from it that you like. I can also provide my visio file to you.
It's a draft version, so there might be some mistakes in it compared to the Heiko's original. And I might have misinterpreted some ideas of communications there.
