Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
charlie
Participant

Tacacs+ on different port

Hello,

I need to contact the Tacacs server from the Security Gateway on a custom port instead of the default port(49).
Standard step don't include the option to set the port. There is a way to change the port 49?


Regards,

Charlie

0 Kudos
9 Replies
the_rock
Legend
Legend

Are you not able to create custom service and then assign a port to it?

0 Kudos
charlie
Participant

The source it's the Firewall that have a tacacs configured, but for some reason we need to change the port from 49 to a new one.
From Firewall I can set priority, ip and the key, but I need to change the port.

0 Kudos
the_rock
Legend
Legend

Would you mind share screenshot?

0 Kudos
charlie
Participant

This is the Checkpoint Tacacs+ server configuration

Tacacs.PNG

I hope that there is a conf file where I can change the default port

0 Kudos
the_rock
Legend
Legend

Ok, got it. Not sure if below link might help, but maybe someone else can chime in. I know you can change ssh port easily from /etc/ssh, but I dont see anything in /etc for tacacs, really sorry mate.

 

https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

0 Kudos
Timothy_Hall
Champion
Champion

It appears the only way to do this is to hack the tacacs service definitions in the /etc/services file from expert mode; I just tried changing the TACACS port to 149, rebooted and it worked.  The /etc/services file is not auto-generated upon Gaia system startup so your changes should stick. 

However be sure to document this /etc/services file change as it is likely to get overwritten by a version upgrade or even possibly a Jumbo HFA installation.  You'll need to manually check that your port change survived after either of these types of operations.

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"
charlie
Participant

Thanks!!!

I'm going to discuss with the Team If we really need to perform this change or we can avoid

Regards

0 Kudos
the_rock
Legend
Legend

Thanks Tim, thats good to know!!

0 Kudos
KhevynLerroy
Explorer

The easyest way to do that is configuring a destination NAT where you should tell the firewall every time the firewall IP try to reach the tacacs IP on port 49 change the destination port to xxxx. We did it on our environment and it works well.

0 Kudos