This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bruce_Lee
Explorer
‎2021-01-22 08:54 PM
Jump to solution

To block 18264 on CheckPoint External Firewall

Hi All,

Need your guy's advice on how to block port 18264 on external interface of checkpoint firewall access.
As CheckPoint Support not recommended to disabled the "Accept Control Connection", it will blocking traffic on this port can impact Firewall SMS communication, and VPN authentication among other services. 

Understand that after disabled the "Accept Control Connection", we can create explicit rules to control the traffic.

It will need a lot of effort on explicit rules since our SMS having more than 10 gateways.


Is there an alternative way to block port 18264 ?


We had tried below solution, however, it's still accessible to port 18264 on external interface


Add an static NAT rule and NAT it to null IP (Implied rule goes first, so NATing is not working)
https://community.checkpoint.com/t5/General-Topics/block-port-443-and-80-and-18264-on-checkpoint-ext...

 

- Manually change the implied_rule.def 

-> //#define ENABLE_PORTAL_HTTP_REDIRECT in implied ruleshttps://community.checkpoint.com/t5/Security-Gateways/How-to-disable-Gaia-access-from-the-Internet/t...

 

-Modified the implied_rule.def
Change it to:  // #define ENABLE_FW1_ICA_SERVICES
(add // before #)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 


Kindly adsie on this.

Thank you

0 Kudos
1 Solution

Accepted Solutions
SangJun
Explorer
‎2021-02-02 10:23 PM
Jump to solution

I referred to sk105719 and blocked the 18264 port with /* */. (from implied_rule.def)
/* #define ENABLE_FW1_ICA_SERVICES */

If the version of the management server and gateway is different, refer to sk92281.
Blocking it is not recommended if you are using a VPN.

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2021-01-22 10:48 PM
Jump to solution

What is the version of gateway and management in question?
Note if the gateway and management are different versions, you may have to apply this fix in multiple locations (i.e. in the various backward compatibility directories).

0 Kudos
the_rock
Legend
Legend
‎2021-01-23 08:16 PM
Jump to solution

Personally, I would NEVER modify implied rules, thats a big security issue, at least for me. Also, how are you testing that access? via telnet or some other way? I would really like to see it for myself on the remote session if you are up for that, so you can show me exactly how this is configured.

Let me know.

Andy

0 Kudos
SangJun
Explorer
‎2021-02-02 10:23 PM
Jump to solution

I referred to sk105719 and blocked the 18264 port with /* */. (from implied_rule.def)
/* #define ENABLE_FW1_ICA_SERVICES */

If the version of the management server and gateway is different, refer to sk92281.
Blocking it is not recommended if you are using a VPN.

0 Kudos
charles-corbin
Explorer
‎2022-12-01 06:38 AM
In response to SangJun
Jump to solution

Do you know if this is permanent point to point VPNs or the VPNs used on Checkpoint client connections on laptops?

Thanks in advance.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-12-01 07:18 AM
In response to charles-corbin
Jump to solution

It applies to both.

0 Kudos