Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
free2wheel
Explorer

Remote management ports

Hi all,

 

I have two lab sites in different countries, which face the internet. Each location operates behind an upstream building-level firewall, not controlled by me.  I have a CP manager already setup at one of the sites & want to manage gateways at the second also but I need to request the relevant ports to be opened in the upstream firewalls at each site.

 

Which are the essential ports that I need to request for remote management?  I have seen this ( https://www.ankenbrand24.de/wp-content/uploads/2023/01/Ports_2.0a.pdf) document, which is very comprehensive, but I'm hoping that I don't need to request all of them.

 

Thanks

0 Kudos
5 Replies
_Val_
Admin
Admin

Please refer to the official list: https://support.checkpoint.com/results/sk/sk52421

0 Kudos
free2wheel
Explorer

Thank you @_Val_ .  To simplify the situation (for me, mostly), can I run the management traffic across the VPN tunnel?  I might find myself in a 'Chicken & Egg' situation regarding the existence of that tunnel in the first place, but I am toying with that idea.

0 Kudos
_Val_
Admin
Admin

By default, management traffic is excluded from a VPN tunnel. You can override it, but this is not a good idea, and definitely not the best practice. If VPN goes down, you will lose control, and considering the VPN tunnel is managed by that same system, this is a huge issue to bring it back up. 

Check Point internal traffic is anyway encrypted, I would route it through the internet outside of the VPN tunnel. 

 

0 Kudos
free2wheel
Explorer

Understood, thanks!

 

0 Kudos
PhoneBoy
Admin
Admin

If you use Smart-1 Cloud for management, the only thing you'd need to open up is HTTPS.
This uses a HTTPS tunnel for the various needed ports.
Unfortunately, this is not available for on-premise management at present.

The main ports needed from the gateways to the management are (at a minimum):

  • TCP 257 (Logging)
  • TCP 18264 (ICA Services)
  • TCP 18191 (SIC, Policy Installation)
  • TCP 18210 (Pull certificates from the ICA)

From management to gateways, you need at minimum:

  • TCP 256 (Policy Install)
  • TCP 18208 (CPRID)

There may be others if you use SAM rules (TCP 18183), use SmartView Monitor (TCP 18202), or have other management infrastructure.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events