CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 9 of 9

Thread: Sync port

  1. #1
    Join Date
    2009-01-08
    Posts
    3
    Rep Power
    0

    Default Sync port

    Hi All,

    Just would like to know on what port/service does the Synchronization occur? I'm reading TCP-256 in some docs (but that may be an older method) and UDP-8116 in others.

    Thanks

  2. #2
    Join Date
    2009-04-14
    Location
    Ohio
    Posts
    405
    Rep Power
    14

    Default Re: Sync port

    UDP 8116 is all the sync/stateful update traffic. TCP 256 I believe is used for policy pushes

  3. #3
    Join Date
    2010-02-01
    Posts
    23
    Rep Power
    0

    Default Re: Sync port

    Here is my sheet of Check Point ports that I've compiled over the years. Some is standard, not just for Check Point, but I used this sheet frequently and thought it might be useful for you.

    The previous poster commented correctly:

    8116 UDP is the CCP
    256 is the policy install

    And here is the list of other Check Point Ports


    PORT TYPE SERVICE DESCRIPTION
    21 TCP ftp File transfer Protocol (control)
    21 UDP ftp File transfer Protocol (control)
    22 TCP ssh SSH remote login
    22 UDP ssh SSH remote login
    25 both SMTP Simple Mail transfer Protocol
    50 Encryption IP protocols esp - IPSEC Encapsulation Security Payload
    51 Encryption IP protocols ah - IPSEC Authentication Header Protocol
    53 Both Domain Name Server
    69 Both TFTP Trivial File Transfer Protocol
    94 TCP Encryption IP protocols fwz_encapsulation (FW1_Eencapsulation)
    137 Both Netbios-ns NETBIOS Name Service
    138 Both netbios-dgm NETBIOS Datagram
    139 Both netbios-ssn NETBIOS Session
    256 TCP FW1 (fwd) policy install port FWD_SVC_PORT
    257 TCP FW1_log FW1_log FWD_LOG_PORT
    258 TCP FW1_mgmt FWM_SSVVC_PORT
    259 TCP FW1_clientauth_telnet
    259 UDP RDP Reliable Datagram Protocol
    260 TCP sync
    260 UDP FW1_snmp FWD_SNMP_PORT
    261 TCP FW1_snauth Session Authentication Daemon
    262 TCP MDQ - mail dequer
    263 TCP dbs
    264 TCP FW1_topop Check Point SecureClient Topology Requests
    265 TCP FW1_key Check Point VPN-1 Public key transfer protocol
    389 Both LDAP Secure Client connecting to LDAP without SSL
    443 SNX VPN can use 443 too
    444 TCP SNX VPN SNX VPN tunnel in connectra only
    500 UDP IPSEC IKE Protocol (formerly ISAKMP/Oakley)
    500 TCP IKE over TCP
    500 UDP ISAKMPD_SPORT & ISAKMPD_DPORT
    514 UDP Syslog Syslog
    636 LDAP Secure Client connecting to LDAP with SSL
    900 TCP FW1_clntauth_http Client Authentication Daemon
    981 Management https on the edge
    1247
    1494 TCP Winframe Citrix
    1645 TCP Radius
    1719 UDP VOIP
    1720 TCP VOIP
    2040 TCP MIP meta Ip admin server
    2746 UDP UDP encapsualtion for SR VPN1_IPSEC_encapsulation VPN1_IPSEC encapsulation
    2746 TCP CPUDPENCap
    4000 Policy Server Port (Redmond)
    4433 TCP Connectra Admin HTTPS Connectra admin port
    4500 UDP NAT-T NAT Traversal
    4532 TCP SNDAEMON_PORT sn_auth_trap: sn_auth daemon Sec.Serv comm,
    5001 TCP Meta IP Web Connection, MIP
    5002 TCP Meta IP DHCP Failover
    5004 TCP Meta IP UAM
    5005 TCP Meta IP SMC
    6969 UDP KP_PORT KeyProt
    8116 UDP Check Point HA SyncMode= CPHAP (new sync mode)
    8116 UDP Connection table synchronization between firewalls
    8989 TCP CPIS Messaging MSG_DEFAULT_PORT
    8998 TCP MDS_SERVER_PORT
    9000 Command Line Port for Secure Client
    10001 TCP Default CPRSM listener port for coms with RealSecure Console
    18181 TCP FW1_cvp Check Point OPSEC Content Vectoring Protocol
    18182 TCP FW1_ufp Check Point OPSEC URL Filtering Protocol
    18183 TCP FW1_sam Check Point OPSEC Suspicious Activity monitoring Proto (SAM API)
    18184 TCP FW1_lea Check Point OPSEC Log Export API
    18185 TCP FW1_omi Check Point OPSEC Objects Management Interface
    18186 TCP FW1_omi-sic Check Point OPSEC Objects management Interface with Secure Internal Communication
    18187 TCP FW1_ela Check Point OPSEC Event Loging API
    18190 TCP CPMI Check Point Management Interface
    18191 TCP CPD Check Point Daemon Proto NG
    18192 TCP CPD_amon Check Point Internal Application Monitoring NG
    18193 TCP FW1_amon Check Point OPSEC Appication Monitoring NG
    18201 TCP FGD_SVC_PORT
    18202 TCP CP_rtm Check Point Real time Monitoring
    18203 TCP FGD_RTMP_PORT
    18204 TCP CE communication
    18205 TCP CP_reporting Check Point Reporting Client Protocol
    18207 TCP FW1_pslogon Check Point Policy Server logon Protocol
    18208 TCP FW1_CPRID Check Point remote Installation Protocol
    18209 TCP FWM CA for establishing SIC communication
    18210 TCP FW1_ica_pull Check Point Internal CA Pull Certificate Service
    18211 TCP FW1_ica_pull Check Point Internal CA Push Certificate Service
    18212 UDP Connect Control - Load Agent port
    18213 TCP cpinp: inp (admin server)
    18214 TCP cpsmc: SMC
    18214 UDP cpsmc: SMC Connectionless
    18221 TCP CP_redundant Check Point Redundant Management Protocol NG
    18231 TCP FW1_pslogon_NG Check Point NG Policy Server Logon Protocol
    18231 TCP NG listens on this port by default dtps.exe
    18232 TCP FW1_sds_logon Check Point SecuRemote Distribution Server Protocol
    18233 UDP Check Point SecureClient Verification Keepalive Protocol FW1_scv_keep_alive
    18241 UDP e2ecp
    18262 TCP CP_Exnet_PK Check Point Public Key Resolution
    18263 TCP CP_Exnet_resolve Check Point Extranet remote objects resolution
    18264 TCP FW1_ica_services Check Point Internal CA Fetch CRL and User Registration Services
    19190 TCP FW1_netso Check Point OPSEC User Authority Simple Protocol
    19191 TCP FW1_uaa Check point OPSEC User Authority API
    65524 FW1_sds_logon_NG Secure Client Distribution Server Protocol (VC and Higher)

  4. #4
    Join Date
    2006-11-05
    Posts
    44
    Rep Power
    0

    Default Re: Sync port

    thats ultimate

  5. #5
    Join Date
    2009-05-19
    Location
    Russia
    Posts
    56
    Rep Power
    14

    Default Re: Sync port

    TCP 256 is used to full sync management HA as I remember in additional.
    UDP 18116 for ClusterXL

    ..or I'm wrong?

  6. #6
    Join Date
    2009-04-14
    Location
    Ohio
    Posts
    405
    Rep Power
    14

    Default Re: Sync port

    Quote Originally Posted by Serji View Post
    TCP 256 is used to full sync management HA as I remember in additional.
    UDP 18116 for ClusterXL

    ..or I'm wrong?
    No, TCP 256 is for policy push/install and UDP 8116 is the cluster control/sync.

    One port I see left off the list is TCP 2010 for FIBMGR which is a full routing table sync. That list you posted james is a GREAT resource

  7. #7
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    18

    Default Re: Sync port

    Quote Originally Posted by bmolnar View Post
    That list you posted james is a GREAT resource
    I concur, excellent port listing! You should make a new thread with this compiled list as a resource that Barry can turn into a sticky.

    Something like: "Information: Complete Checkpoint Port Listing"

    Not sure which subforum though, probably this one: Miscellaneous - CPUG: The Check Point User Group
    There's no place like 127.0.0.1

  8. #8
    Join Date
    2014-04-29
    Posts
    1
    Rep Power
    0

    Default Re: Sync port

    The R80 documentation clearly states FWD uses TCP 256 for initial full sync, UDP 8116 is only used for delta sync. In older documentation this was not clearly specified unfortunately ;)

  9. #9
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    19

    Default Re: Sync port

    Quote Originally Posted by Johnneke View Post
    The R80 documentation clearly states FWD uses TCP 256 for initial full sync, UDP 8116 is only used for delta sync.

    Years ago I worked at places that did not allow TCP/256 between firewall members, only UDP/8116.

    If a firewall was restarted, full sync would fail. New connections would be synced. Over time, the connection numbers on each firewall would slowly converge. Long-running connections might never sync though. Looked very weird to see say 20,000 connections on one firewall, and 17,000 on the other.

Similar Threads

  1. Sync will not function since there aren't any sync(secured) interfaces
    By Wardrivn in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2009-08-17, 17:00
  2. Replies: 5
    Last Post: 2008-07-24, 05:29
  3. Dual port or quad port NICS in SPLAT
    By JeffN in forum Check Point SecurePlatform (SPLAT)
    Replies: 2
    Last Post: 2007-02-07, 21:50
  4. Host tried to open tcp service port, port xxxx
    By roadrunner in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 0
    Last Post: 2005-08-13, 15:17
  5. Host tried to open tcp service port, port xxxx
    By Barry J. Stiefel in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 0
    Last Post: 2005-08-13, 14:59

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •