This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bac26
Contributor
‎2023-06-15 07:50 AM

VPN Port only on external interface

Hello

would be possibie to open only on external interfaces ports use for site to site vpn and remote access?

best regards

Fabio

0 Kudos
11 Replies
PhoneBoy
Admin
Admin
‎2023-06-15 07:55 AM

Unless you've disabled the relevant implied rules, this traffic should already be allowed.

0 Kudos
Bac26
Contributor
‎2023-06-15 08:07 AM
In response to PhoneBoy

but i would like to enable on a specific cluster only on the external interface, now is enabled on all interfaces like ike 500

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-15 08:52 AM
In response to Bac26

If VPN is enabled, the gateway will listen on all interfaces on UDP port 500.
There is no way to prevent this from occurring and would require an RFE with your local Check Point office.

Access to VPN (Remote Access, Site-to-Site) is enabled through Implied Rules.
The only way to disable this access is either:

I recommend the latter approach versus the former one.

0 Kudos
Bac26
Contributor
‎2023-06-20 12:20 AM
In response to PhoneBoy

so you advice to keep implied rules?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-20 02:39 PM
In response to Bac26

In order to prevent VPN traffic from being accepted via Implied Rules, you would have to disable Accept Control Connections.
This would require continual maintenance of several rules unrelated to VPN.
Whereas with the fwaccel approach, it requires one command on each gateway to be run.
Though if you are using fwaccel on gateways regularly, you'll have to be mindful of these rules.

0 Kudos
Bac26
Contributor
‎2023-06-20 10:50 PM
In response to PhoneBoy

But with fwaccel the port is in listening you just drop traffic right?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-21 11:34 AM
In response to Bac26

Yes, the gateway is still listening on those ports.

However, when using the appropriate fwaccel dos commands, access to this port is rate-limited to zero, so no traffic will be received/processed by the daemon.
Which is more or less the exact same effect as disabling the Implied Rules would have.

0 Kudos
Bac26
Contributor
‎2023-06-22 12:09 AM
In response to PhoneBoy

Hello

can you show me an example command to block one vpn port? ex ike 500? and how to reverst in case?

Thank you

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-22 09:57 AM
In response to Bac26

Probably something like (this blocks access to UDP port 500)

fwaccel dos rate add -a d -l a service 17/500 source any destination cidr:X.X.X.X/32 pkt-rate 0

To revert, delete the relevant rule:

fwaccel dos rate del "<Rule UID>"

To get the rule UID, you need to parse the output of: fw samp get -l

More possibilities listed here: https://support.checkpoint.com/results/sk/sk112454

 

0 Kudos
Bac26
Contributor
‎2023-06-22 11:17 PM
In response to PhoneBoy

in case of a cluster i should set the cidr to the VIP? or still on physical?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-23 08:05 AM
In response to Bac26

If your goal is to prevent access, then I would specify both the VIP and physical IPs.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events