Seeking explanation of high ports listening:

**onyxwolf** · 2011-10-14

Hey all,

A customer has to show all listening ports on there firewall and netstat -an reveals several (approx. 20) ports > 50000 listening to 0.0.0.0 (IE all) on their box. I thought maybe it was for NAT or something along those lines, but when I checked my VM SPLAT, after installing a super basic policy ensuring no NATing/VPN was enabled, I found the close to the same amount of high ports listening on it. Adding the -p tag showed they all (with the exception of one) were open by fwd; therefore, a cpstop closed them. Anyone know why Check Points firewall uses these high ports?

Policy properly blocks access to them; thus the need for the stealth rule, but customer still needs to explain the listening ports...

**Eros_G** · 2011-10-21

old but goodies....

NGX FAQ - Ports used by Check Point NGX

http://informationsecuritytips.com/2...irewall-ports/

**onyxwolf** · 2011-10-21

Thank you,

I actually ran across those in my initial research and saw the two > 50000 ports on the list but that doesn't explain the rest of the 20 of them... Hmm... I suppose they are for various management functionalities as well, and CP hasn't been forthcoming with my direct inquiry to them. I guess its one of those, unless you develop for CP, you'll never know. I provided what I could to customer, and emphasized the need of stealth rule and defining guiclients, due to this, and that seemed to satisfy his inquiry.

**alienbaby** · 2011-10-21

assuming the use of SecurePlatform, 'netstat -lnp' does not show all the listening ports.

Many 'listeners' are in the kernel module, and as far as I know, cannot be discovered without a port scan. Some can be gleaned from $FWDIR/conf/fwauthd.conf.