Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bac26
Contributor

VPN Port only on external interface

Hello

would be possibie to open only on external interfaces ports use for site to site vpn and remote access?

best regards

Fabio

0 Kudos
11 Replies
PhoneBoy
Admin
Admin

Unless you've disabled the relevant implied rules, this traffic should already be allowed.

0 Kudos
Bac26
Contributor

but i would like to enable on a specific cluster only on the external interface, now is enabled on all interfaces like ike 500

0 Kudos
PhoneBoy
Admin
Admin

If VPN is enabled, the gateway will listen on all interfaces on UDP port 500.
There is no way to prevent this from occurring and would require an RFE with your local Check Point office.

Access to VPN (Remote Access, Site-to-Site) is enabled through Implied Rules.
The only way to disable this access is either:

I recommend the latter approach versus the former one.

0 Kudos
Bac26
Contributor

so you advice to keep implied rules?

0 Kudos
PhoneBoy
Admin
Admin

In order to prevent VPN traffic from being accepted via Implied Rules, you would have to disable Accept Control Connections.
This would require continual maintenance of several rules unrelated to VPN.
Whereas with the fwaccel approach, it requires one command on each gateway to be run.
Though if you are using fwaccel on gateways regularly, you'll have to be mindful of these rules.

0 Kudos
Bac26
Contributor

But with fwaccel the port is in listening you just drop traffic right?

0 Kudos
PhoneBoy
Admin
Admin

Yes, the gateway is still listening on those ports.

However, when using the appropriate fwaccel dos commands, access to this port is rate-limited to zero, so no traffic will be received/processed by the daemon.
Which is more or less the exact same effect as disabling the Implied Rules would have.

0 Kudos
Bac26
Contributor

Hello

can you show me an example command to block one vpn port? ex ike 500? and how to reverst in case?

Thank you

0 Kudos
PhoneBoy
Admin
Admin

Probably something like (this blocks access to UDP port 500)

fwaccel dos rate add -a d -l a service 17/500 source any destination cidr:X.X.X.X/32 pkt-rate 0

To revert, delete the relevant rule:

fwaccel dos rate del "<Rule UID>"

To get the rule UID, you need to parse the output of: fw samp get -l

More possibilities listed here: https://support.checkpoint.com/results/sk/sk112454

 

0 Kudos
Bac26
Contributor

in case of a cluster i should set the cidr to the VIP? or still on physical?

0 Kudos
PhoneBoy
Admin
Admin

If your goal is to prevent access, then I would specify both the VIP and physical IPs.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events