• April 22, 2019, 05:03:25 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Checkpoint firewall port 80/443 open on the Internet  (Read 9514 times)

0 Members and 1 Guest are viewing this topic.

Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 955
Checkpoint firewall port 80/443 open on the Internet
« on: May 14, 2012, 05:27:24 AM »
Guys,

Our firewalls are periodically scanned for vulnerabilities on the Internet and we were surprised to find that ports 80/443 were open on the Internet. 

We subsequently found that Checkpoint have introduced in R75 something called 'Multi Portal'.  This allows the firewall to listen to any request on port 80/443 and after the 3-way handshake is complete it forwards the request to the daemon according to the data context.  If the request to port 80/443 is not legitimate, then the traffic is dropped.

Note - You can no longer use Voyager on port 443.  You have to create a new customised port.

In our case we do not need to use the 'Multi Portal' functionality and want to close ports 80/443.  Our Security department also had grave concerns.  Unfortunately, within the Smartdashboard GUI there is no facility to turn these ports off even though you can untick 'Accept Web and SSH connections for Gateway's administration' under Firewall Implied Rules Tab.

After several failed attempts to resolve this issue via our 3rd party support partner, Checkpoint finally admitted there was an issue and provided a special SmartDashboard GUI that enters a new line '#define ENABLE_PORTAL_HTTP_REDIRECT' in the 'implied_rules.def' file that needs to be commented out on our Windows SmartCentre server and then pushed to the firewalls.

Note - Using Checkpoint R75.20 running on IPSO 6.2

Apparently Checkpoint have resolved this issue in the new SmartDashboard for R75.40 which has just been released?

CheerZ



Offline Michael McNamara

  • Administrator
  • Hero Member
  • *****
  • Posts: 3839
    • michaelfmcnamara
    • Michael McNamara
Re: Checkpoint firewall port 80/443 open on the Internet
« Reply #1 on: July 18, 2012, 11:28:27 PM »
Thanks for sharing that information @Flintstone!

I haven't had the opportunity to deploy R75 yet (still running R70). :(
« Last Edit: July 18, 2012, 11:29:58 PM by Michael McNamara »
We've been helping network engineers, system administrators and technology professionals since June 2009.
If you've found this site useful or helpful, please help me spread the word. Link to us in your blog or homepage - Thanks!