Friday, May 28, 2010

Ports used by Checkpoint gateway and management server between there internal communication..

Symptoms
  • VPN-1 binds to some well-known ports and a few not-so well known ports. This document will explain what ports these are, what they are used for, and, if applicable, how to disable them.
Solution
Various parts of FireWall-1 bind to various ports on the system. Typically, they intercept connections traversing through the firewall, but in order for this to work correctly, they must bind to their own port and listen. In general, the services bound to these ports do not pose any sort of security risk. If no policy is in place or the policy permits access to these ports inadvertenly, the processes themselves are smart enough to reject direct requests to these ports. In the case of the SAM and LEA ports (see below), these ports require authentication in much the same way that remote management does, so it is not believed to be a security risk.
TCP Port 256 is used for three important things:
  • Exchange of CA and DH keys in FWZ and SKIP encryption between two FireWall-1 Management Consoles
  • SecuRemote build 4005 and earlier uses this port to fetch the network topology and encryption keys from a FireWall-1 Management Console
  • When instaling a policy, the management console uses this port to push the policy to the remote firewall.
TCP Port 257 (FW1_log) is used for logging purposes.
TCP Port 258 is used by the fwpolicy remote GUI. FireWall-1 will only listen to this port on a management console.
TCP Port 259 is used for Client Authentication via telnet. FireWall-1 will only listen to this port on a firewall module.
UDP Port 259 is used in FWZ encryption to manage the encrypted session (SecuRemote and FireWall-1 to FireWall-1 VPNs).
UDP Port 260 and UDP Port 161 are used for the SNMP daemon that Check Point FireWall-1 Provides.
TCP Port 262 is used by netsod, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains netsod in $FWDIR/conf/fwauthd.conf.
TCP Port 264 is used for Secure Client (SecuRemote) build 4100 and later to fetch network topology and encryption keys from a FireWall-1 Management Console. FireWall-1 will only listen to this port on a management console.
UDP Port 500 is used for ISAKMP key exchange between firewalls or between a firewall and a host running Secure Client. FireWall-1 will only listen to this port on a firewall module.
TCP Port 900 is used by FireWall-1's HTTP Client Authentication mechanism. This can be disabled by commenting the appropriate line in $FWDIR/bin/fwauthd.conf.
TCP Port 4532 is used for the Session Auth agent, asessiond.
TCP Ports above 1024, other than the ones listed below, are generally any Security Servers that are active. The actual ports used by these servers will vary. 1024 is the lowest & 65535 is the highest port a Security Server process will use for a connection. If you wish to minimize the number of ports listening, comment out the appropriate lines from $FWDIR/conf/fwauthd.conf. Note that if you disable a security server in this fashion, you can not use its capabilities (like content security or authentication), so make sure you only do it for the security servers you know you are not using.
TCP Port 18181 is used for CVP (Content Vectoring Protocol, for anti-virus scanning). FireWall-1 will not listen on this port.
TCP Port 18182 is used for UFP (URL Filtering Protocol, for WebSense and the like). FireWall-1 will not listen on this port.
TCP Port 18183 is used for SAM (Suspicious Activity Monitoring, for intrusion detection). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf.
TCP Port 18184 is used for Log Export API (lea). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf.
TCP Port 18186 (FW1_omi-sic) is used for Secure Internal Communications (SIC) between OPSEC certified products and a NG FireWall module.
TCP Port 18190 (CPMI) is used by the FireWall Management process (FWM) to listen for NG Management Clients attempting to connect to the management module.
TCP Port 18191 (CPD) is used by the CPD process for communications such as policy installation, certificate revocation, and status queries.
TCP Port 18192 (CPD_amon) is used by the CPD process FireWall Application Monitoring.
TCP Port 18196 is used for CPEPS which is part of User Monitor.
TCP Port 18207 is used by polsrvd, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains polsrvd in $FWDIR/conf/fwauthd.conf.
TCP Port 18210 (FW1_ica_pull): The CPD process, on the management module, is listening on TCP port 18210 for certificates to be "pulled" by a FireWall module from a management module.
TCP Port 18211 (FW1_ica_push): The Check Point Daemon (CPD) process, running on the FireWall module, listens on TCP port 18211 for certificate creation and for the "push" of the certificate to the FireWall module from the management module.
Should you make any changes above, the 'fwd' process will need to be restarted as follows:
nokia[admin]# fw kill fwd
nokia[admin]# fwd `cat $FWDIR/conf/masters`

No comments: