This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bruce_Lee
Explorer
‎2021-01-22 08:54 PM
Jump to solution

To block 18264 on CheckPoint External Firewall

Hi All,

Need your guy's advice on how to block port 18264 on external interface of checkpoint firewall access.
As CheckPoint Support not recommended to disabled the "Accept Control Connection", it will blocking traffic on this port can impact Firewall SMS communication, and VPN authentication among other services. 

Understand that after disabled the "Accept Control Connection", we can create explicit rules to control the traffic.

It will need a lot of effort on explicit rules since our SMS having more than 10 gateways.


Is there an alternative way to block port 18264 ?


We had tried below solution, however, it's still accessible to port 18264 on external interface


Add an static NAT rule and NAT it to null IP (Implied rule goes first, so NATing is not working)
https://community.checkpoint.com/t5/General-Topics/block-port-443-and-80-and-18264-on-checkpoint-ext...

 

- Manually change the implied_rule.def 

-> //#define ENABLE_PORTAL_HTTP_REDIRECT in implied ruleshttps://community.checkpoint.com/t5/Security-Gateways/How-to-disable-Gaia-access-from-the-Internet/t...

 

-Modified the implied_rule.def
Change it to:  // #define ENABLE_FW1_ICA_SERVICES
(add // before #)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 


Kindly adsie on this.

Thank you

0 Kudos
1 Solution

Accepted Solutions
SangJun
Explorer
‎2021-02-02 10:23 PM
Jump to solution

I referred to sk105719 and blocked the 18264 port with /* */. (from implied_rule.def)
/* #define ENABLE_FW1_ICA_SERVICES */

If the version of the management server and gateway is different, refer to sk92281.
Blocking it is not recommended if you are using a VPN.

View solution in original post

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2021-01-22 10:48 PM
Jump to solution

What is the version of gateway and management in question?
Note if the gateway and management are different versions, you may have to apply this fix in multiple locations (i.e. in the various backward compatibility directories).

0 Kudos
the_rock
Legend
Legend
‎2021-01-23 08:16 PM
Jump to solution

Personally, I would NEVER modify implied rules, thats a big security issue, at least for me. Also, how are you testing that access? via telnet or some other way? I would really like to see it for myself on the remote session if you are up for that, so you can show me exactly how this is configured.

Let me know.

Andy

0 Kudos
SangJun
Explorer
‎2021-02-02 10:23 PM
Jump to solution

I referred to sk105719 and blocked the 18264 port with /* */. (from implied_rule.def)
/* #define ENABLE_FW1_ICA_SERVICES */

If the version of the management server and gateway is different, refer to sk92281.
Blocking it is not recommended if you are using a VPN.

0 Kudos
charles-corbin
Explorer
‎2022-12-01 06:38 AM
In response to SangJun
Jump to solution

Do you know if this is permanent point to point VPNs or the VPNs used on Checkpoint client connections on laptops?

Thanks in advance.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-12-01 07:18 AM
In response to charles-corbin
Jump to solution

It applies to both.

0 Kudos
RBP
Explorer
‎2023-08-14 09:54 PM
In response to SangJun
Jump to solution

Apart from disabling the implied rule. Is there any alternative way for blocking the 18264 port for being accept through implied rule. Can we stop the service. (cpca_client set_ca_services off)

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-15 02:27 PM
In response to RBP
Jump to solution

This is a required service and leaving it stopped will cause anything involving SIC and/or VPNs to eventually break.
Modifying implied rules is one option, another is to use fw samp to block the relevant traffic on each gateway, which are enforced before Implied Rules.
A command like the following will need to be executed on all relevant gateways: fwaccel dos rate add -a d destination cidr:x.y.z.w/32 service 6/18264
This will block all traffic to the IP address x.y.z.w on TCP port 18264.
More details/specifics here: https://support.checkpoint.com/results/sk/sk112454 

0 Kudos
Sergei_Shir
Employee
Employee
‎2023-11-21 01:24 AM
Jump to solution

sk35292 is not avalaible anymore.

Refer to sk179346: Configuring Explicit Rules instead of Implied Rules

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events