This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
free2wheel
Explorer
‎2023-10-06 02:58 AM

Remote management ports

Hi all,

 

I have two lab sites in different countries, which face the internet. Each location operates behind an upstream building-level firewall, not controlled by me.  I have a CP manager already setup at one of the sites & want to manage gateways at the second also but I need to request the relevant ports to be opened in the upstream firewalls at each site.

 

Which are the essential ports that I need to request for remote management?  I have seen this ( https://www.ankenbrand24.de/wp-content/uploads/2023/01/Ports_2.0a.pdf) document, which is very comprehensive, but I'm hoping that I don't need to request all of them.

 

Thanks

Preview file
227 KB
0 Kudos
5 Replies
_Val_
Admin
Admin
‎2023-10-06 04:11 AM

Please refer to the official list: https://support.checkpoint.com/results/sk/sk52421

0 Kudos
free2wheel
Explorer
‎2023-10-06 04:45 AM
In response to _Val_

Thank you @_Val_ .  To simplify the situation (for me, mostly), can I run the management traffic across the VPN tunnel?  I might find myself in a 'Chicken & Egg' situation regarding the existence of that tunnel in the first place, but I am toying with that idea.

0 Kudos
_Val_
Admin
Admin
‎2023-10-06 05:57 AM
In response to free2wheel

By default, management traffic is excluded from a VPN tunnel. You can override it, but this is not a good idea, and definitely not the best practice. If VPN goes down, you will lose control, and considering the VPN tunnel is managed by that same system, this is a huge issue to bring it back up. 

Check Point internal traffic is anyway encrypted, I would route it through the internet outside of the VPN tunnel. 

 

0 Kudos
free2wheel
Explorer
‎2023-10-06 06:09 AM
In response to _Val_

Understood, thanks!

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-06 11:12 AM

If you use Smart-1 Cloud for management, the only thing you'd need to open up is HTTPS.
This uses a HTTPS tunnel for the various needed ports.
Unfortunately, this is not available for on-premise management at present.

The main ports needed from the gateways to the management are (at a minimum):

  • TCP 257 (Logging)
  • TCP 18264 (ICA Services)
  • TCP 18191 (SIC, Policy Installation)
  • TCP 18210 (Pull certificates from the ICA)

From management to gateways, you need at minimum:

  • TCP 256 (Policy Install)
  • TCP 18208 (CPRID)

There may be others if you use SAM rules (TCP 18183), use SmartView Monitor (TCP 18202), or have other management infrastructure.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events