Solved: R8x Ports Used for Communication by Various Check ... - Page 5

HeikoAnkenbrand · ‎2018-03-01

Introduction

This drawing should give you an overview of the used R80, R81 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall.

Overview

Download PDF

Download R8x version 2.0:
R8x Ports Used for Communication PDF

SmartConsole Extention

New!

Now I have developed a SmartConsole Extension so that you can view the overview directly in the SmartConsole.
In the Access Policy section in the upper area, there is a tab called "Ports for Modules". More infos here.

Extension URL: https://www.ankenbrand24.de/ex/ports.json

References

Support Center: Ports used by Check Point software

Versions

Version 2.1:
+ v2.1b all new R82 ports (IA + RA VPN ikev2) 10/29/2024
+ v2.1a all new R81.20 ports (Cloudguard + VPN + ClusterXL) 07/15/2024

old Version 2.0:
+ v2.0f new! now with SmartConsole Extension                                02/13/2023
+ v2.0e add LOM port 2048                                                                       01/31/2023
+ v2.0d add LOM ports                                                           01/23/2023
+ v2.0c new colors + design                                                                      01/22/2023
+ v2.0b best mistake 🙂 SmartDashboard versus SmartConsole     01/22/2023
+ v2.0a correct names : SMS, MDS, SmartConsole, ...                          01/21/2023

old Version 1.9:
+ v1.9a add port 443 cloud CME 19.03.2022
+ v1.9b fix port issue 442 cloud CME 22.03.2022

old Version 1.8:
+ v1.8a R81.10 EA update 04.05.2021
+ v1.8b add port 18264 30.05.2021
+ v1.8c R81.10 upgrade 28.07.2021

old Version 1.7:
+ v1.7a R81 EA update 17.07.2021
+ v1.7b bug fix 20.08.2021
+ v1.7c bug fix + new download link 25.06.2021

old Version 1.6:
+ v1.6a add Azure ports 05.05.2020
+ v1.6b add all cloud ports 15.06.2020

old Version 1.5:
+ v1.5a typos corrected 18.09.2019
+ v1.5b port update 26.01.2020

old version 1.4:
+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018
+ v1.4b bug fix 15.04.2018
+ v1.4c CPUSE update 17.04.2018
+ v1.4d legend fixed 17.04.2018
+ v1.4e add SmartLog and SmartView on port 443 20.04.2018
+ v1.4f bug fix 21.05.2018
+ v1.4g bug fix 25.05.2018
+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256 30.05.2018
+ v1.4i add port 259 udp VPN link probeing 12.06.2018
+ v1.4j bug fix 17.06.2018
+ v1.4k add OSPF/BGP route Sync 25.06.2018
+ v1.4l bug fix routed 29.06.2018
+ v1.4m bug fix tcp/udp ports 03.07.2018
+ v1.4n add port 256 13.07.2018
+ v1.4o bug fix / add TE ports 27.11.2018
+ v1.4p bug fix routed port 2010 23.01.2019
+ v1.4q change to new forum format 16.03.2019

old version 1.3:
+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018
+ v1.3b add routing ports, bug fix designe 28.03.2018
+ v1.3c bug fix, rename ports (old) 29.03.2018
+ v1.3d bug fix 30.03.2018
+ v1.3e fix issue L2TP UDP port 1701

old version 1.1:
+ v1.1a - added r80.xx ports 16.03.2018
+ v1.1b - bug in drawing fixed 17.03.2018
+ v1.1c - add RSA, TACACS, Radius 19.03.2018
+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018
+ v1.1e - add OPSEC -delete R55 ports 21.03.2018
+ v1.1f - bug fix 22.03.2018
+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Artem_Kuznetsov · ‎2018-06-08

Hi, Heiko! That's a great work!

But you were probably missed udp_259 between gateways. It's Check Point VPN-1 FWZ Key Negotiations (Reliable Datagram Protocol) which using for sending and receiveing VPN probes.

Petr_Hantak · ‎2018-06-11

This is really great job! Thank you for it and I'm glad that is still updating. Written document is one thing, but relations in the picture are great

HeikoAnkenbrand · ‎2018-06-12

Hi Artem,
thx, i have added port 259 UDP for link probing.

Best regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Isabel_Brenner · ‎2018-06-13

Nice document.

Georg_Polder · ‎2018-06-15

This is really great job!

THX

Huseyin_Rencber · ‎2018-06-15

Nice job !

AlekseiShelepov · ‎2018-06-23

TCP 2010

FIBMGR - Forwarding Information Base Manager - Dynamic Routing Cluster configuration.
FIB Manager connections from / to cluster members on SecurePlatform OS with enabled Dynamic Routing.

From help in SmartDashboard R77.30:

OSPF - Graceful restart
• Allow connections to port TCP 2010 over the sync network

From sk120355

The routed process synchronizes OSPF and BGP routes via port 2010.

HeikoAnkenbrand · ‎2018-06-25

Hi Aleksei,

thx, i have added port 2100.

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Joerg_Enge · ‎2018-06-29

Very nice overview!

Tarique_Ali · ‎2018-07-04

Great work.

Thomas_Werner · ‎2018-07-10

Hi Heiko,

great diagram - helps a lot.

Looks like TCP port 256 from Mgmt to GW is needed to fetch topology.

Also you may add this SK for reference:

Ports used by Check Point software

Regards Thomas

HeikoAnkenbrand · ‎2018-07-12

I add port 256 in the next version.

THX

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Patrick_Hanel · ‎2018-07-12

Thank you

Much better than the sk

HeikoAnkenbrand · ‎2018-07-13

Port 256 is added.

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Sascha_Hasenst1 · ‎2018-07-17

Hello Heiko,

great picture. May it be possible to add two ports?

TCP/18264 on SmartCenter for fetching the CRL from the ICA (internal CA)

TCP/18265 on SmartCenter for accessing the ICA managemet Tool. Its very helpfull for checking certificates and their expiration-dates.

Best regards

Sascha

JozkoMrkvicka · ‎2018-07-22

Should be 2010, not 2100.

Kind regards,
Jozko Mrkvicka

Rolf_Kaschek · ‎2018-07-22

Thanks for the new diagram.

Hugo_vd_Kooij · ‎2018-07-24

If you install EndPoint Policy Management port 443 is no longer in use for GAIA. It will, by default, be moved to port 4434.

Secondary SmartConsole requires access to the port used above for any log tab that is not pointing directly to the SmartLog. (For example your SmartEvent, ....)

This can be a problem if high ports are blocked by default on another firewall.

I am not sure how to parse that information in the diagram you created. (Anyone a suggestion?)

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

JozkoMrkvicka · ‎2018-08-08

LOM ports are not in the drawing (was mentioned there as well).

Required open TCP ports for LOM card functionality

Kind regards,
Jozko Mrkvicka

HeikoAnkenbrand · ‎2018-08-09

Hi Jozko

I've been working hard with Check Point on this article R80.x Security Gateway Architecture (Logical Packet Flow) the last few days and nights. That is why I have not reacted here.

Now to the topic:

I have a space problem in the A3 overview and I am converting it to a larger format. Please give me a few more days.

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Saleme_Sabaj · ‎2018-08-12

Also nice owerview.

Thanks

Saleme

Philipp_Schuste · ‎2018-09-04

Hi Heiko,

as Jozko said this should be port TCP/2010 and not TCP/2100. Please correct this to prevent misconfigurations.

Thanks for your great work!

Tobias_Karsbo · ‎2018-09-05

Good job!!!

Aleksandar_Oluj · ‎2018-09-12

Great job!

Kurt_Buckardt · ‎2018-09-14

Well done, sir! Thank you for making time to produce, update & share this!

Ralph_Heckler · ‎2018-09-22

Well done!

Petr_Hantak · ‎2018-10-08

I agree that those should be mentioned. Especially TCP/18264 for first time connection to management server on R80. Otherwise you'll get an error "CRLs failed to be downloaded".

Shinn_Ho · ‎2018-10-29

What were the ports need to be allow for the use of API if there was a firewall in between?

PhoneBoy · ‎2018-10-29

The R80.x API runs over port 443.

Sven_Glock · ‎2018-11-08

Hi Heiko,

maybe I found a missing communication channel.

What about Sandblast Detecting links to malicious files inside e-mails (sk115313)?

This needs communication to the internet. I am sure it is using http. No idea whether it can also use https or not.

Additionally TE appliance needs CPUSE and updates from Check Point, too.

Thanks for your excelent job.

Cheers

Sven

R8x Ports Used for Communication by Various Check Point Modules (new version 2.1)

R8x Ports Used for Communication by Various Check Point Modules (new version 2.1)

Are you a member of CheckMates?

R8x Ports Used for Communication by Various Check Point Modules (new version 2.1)

R8x Ports Used for Communication by Various Check Point Modules (new version 2.1)