Solved: To block 18264 on CheckPoint External Firewall

Bruce_Lee · ‎2021-01-22

Hi All,

Need your guy's advice on how to block port 18264 on external interface of checkpoint firewall access.
As CheckPoint Support not recommended to disabled the "Accept Control Connection", it will blocking traffic on this port can impact Firewall SMS communication, and VPN authentication among other services.

Understand that after disabled the "Accept Control Connection", we can create explicit rules to control the traffic.

It will need a lot of effort on explicit rules since our SMS having more than 10 gateways.

Is there an alternative way to block port 18264 ?

We had tried below solution, however, it's still accessible to port 18264 on external interface

- Add an static NAT rule and NAT it to null IP (Implied rule goes first, so NATing is not working)
https://community.checkpoint.com/t5/General-Topics/block-port-443-and-80-and-18264-on-checkpoint-ext...

- Manually change the implied_rule.def

-> //#define ENABLE_PORTAL_HTTP_REDIRECT in implied ruleshttps://community.checkpoint.com/t5/Security-Gateways/How-to-disable-Gaia-access-from-the-Internet/t...

-Modified the implied_rule.def
Change it to: // #define ENABLE_FW1_ICA_SERVICES
(add // before #)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Kindly adsie on this.

Thank you

SangJun · ‎2021-02-02

I referred to sk105719 and blocked the 18264 port with /* */. (from implied_rule.def)
/* #define ENABLE_FW1_ICA_SERVICES */

If the version of the management server and gateway is different, refer to sk92281.
Blocking it is not recommended if you are using a VPN.

View solution in original post

PhoneBoy · ‎2021-01-22

What is the version of gateway and management in question?
Note if the gateway and management are different versions, you may have to apply this fix in multiple locations (i.e. in the various backward compatibility directories).

the_rock · ‎2021-01-23

Personally, I would NEVER modify implied rules, thats a big security issue, at least for me. Also, how are you testing that access? via telnet or some other way? I would really like to see it for myself on the remote session if you are up for that, so you can show me exactly how this is configured.

Let me know.

Andy

Best,
Andy

SangJun · ‎2021-02-02

I referred to sk105719 and blocked the 18264 port with /* */. (from implied_rule.def)
/* #define ENABLE_FW1_ICA_SERVICES */

If the version of the management server and gateway is different, refer to sk92281.
Blocking it is not recommended if you are using a VPN.

charles-corbin · ‎2022-12-01

Do you know if this is permanent point to point VPNs or the VPNs used on Checkpoint client connections on laptops?

Thanks in advance.

PhoneBoy · ‎2022-12-01

It applies to both.

RBP · ‎2023-08-14

Apart from disabling the implied rule. Is there any alternative way for blocking the 18264 port for being accept through implied rule. Can we stop the service. (cpca_client set_ca_services off)

PhoneBoy · ‎2023-08-15

This is a required service and leaving it stopped will cause anything involving SIC and/or VPNs to eventually break.
Modifying implied rules is one option, another is to use fw samp to block the relevant traffic on each gateway, which are enforced before Implied Rules.
A command like the following will need to be executed on all relevant gateways: fwaccel dos rate add -a d destination cidr:x.y.z.w/32 service 6/18264
This will block all traffic to the IP address x.y.z.w on TCP port 18264.
More details/specifics here: https://support.checkpoint.com/results/sk/sk112454

Sergei_Shir · ‎2023-11-21

sk35292 is not avalaible anymore.

Refer to sk179346: Configuring Explicit Rules instead of Implied Rules

Are you a member of CheckMates?

To block 18264 on CheckPoint External Firewall