Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bruce_Lee
Explorer
Jump to solution

To block 18264 on CheckPoint External Firewall

Hi All,

Need your guy's advice on how to block port 18264 on external interface of checkpoint firewall access.
As CheckPoint Support not recommended to disabled the "Accept Control Connection", it will blocking traffic on this port can impact Firewall SMS communication, and VPN authentication among other services. 

Understand that after disabled the "Accept Control Connection", we can create explicit rules to control the traffic.

It will need a lot of effort on explicit rules since our SMS having more than 10 gateways.


Is there an alternative way to block port 18264 ?


We had tried below solution, however, it's still accessible to port 18264 on external interface


Add an static NAT rule and NAT it to null IP (Implied rule goes first, so NATing is not working)
https://community.checkpoint.com/t5/General-Topics/block-port-443-and-80-and-18264-on-checkpoint-ext...

 

- Manually change the implied_rule.def 

-> //#define ENABLE_PORTAL_HTTP_REDIRECT in implied ruleshttps://community.checkpoint.com/t5/Security-Gateways/How-to-disable-Gaia-access-from-the-Internet/t...

 

-Modified the implied_rule.def
Change it to:  // #define ENABLE_FW1_ICA_SERVICES
(add // before #)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 


Kindly adsie on this.

Thank you

0 Kudos
1 Solution

Accepted Solutions
SangJun
Explorer

I referred to sk105719 and blocked the 18264 port with /* */. (from implied_rule.def)
/* #define ENABLE_FW1_ICA_SERVICES */

If the version of the management server and gateway is different, refer to sk92281.
Blocking it is not recommended if you are using a VPN.

View solution in original post

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

What is the version of gateway and management in question?
Note if the gateway and management are different versions, you may have to apply this fix in multiple locations (i.e. in the various backward compatibility directories).

0 Kudos
the_rock
Legend
Legend

Personally, I would NEVER modify implied rules, thats a big security issue, at least for me. Also, how are you testing that access? via telnet or some other way? I would really like to see it for myself on the remote session if you are up for that, so you can show me exactly how this is configured.

Let me know.

Andy

0 Kudos
SangJun
Explorer

I referred to sk105719 and blocked the 18264 port with /* */. (from implied_rule.def)
/* #define ENABLE_FW1_ICA_SERVICES */

If the version of the management server and gateway is different, refer to sk92281.
Blocking it is not recommended if you are using a VPN.

0 Kudos
charles-corbin
Explorer

Do you know if this is permanent point to point VPNs or the VPNs used on Checkpoint client connections on laptops?

Thanks in advance.

0 Kudos
PhoneBoy
Admin
Admin

It applies to both.

0 Kudos
RBP
Explorer

Apart from disabling the implied rule. Is there any alternative way for blocking the 18264 port for being accept through implied rule. Can we stop the service. (cpca_client set_ca_services off)

0 Kudos
PhoneBoy
Admin
Admin

This is a required service and leaving it stopped will cause anything involving SIC and/or VPNs to eventually break.
Modifying implied rules is one option, another is to use fw samp to block the relevant traffic on each gateway, which are enforced before Implied Rules.
A command like the following will need to be executed on all relevant gateways: fwaccel dos rate add -a d destination cidr:x.y.z.w/32 service 6/18264
This will block all traffic to the IP address x.y.z.w on TCP port 18264.
More details/specifics here: https://support.checkpoint.com/results/sk/sk112454 

0 Kudos
Sergei_Shir
Employee
Employee

sk35292 is not avalaible anymore.

Refer to sk179346: Configuring Explicit Rules instead of Implied Rules

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events