CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: Tenable Scan opening ports dynamically on GW

  1. #1
    Join Date
    2007-05-25
    Posts
    207
    Rep Power
    12

    Default Tenable Scan opening ports dynamically on GW

    Tenable Scan will dynamically open up various ports "SMTP Server Non-standard Port Detection" only on 2 out of the 16 gateways in our production environment. So far it has only happened on the secondaries.

    It does this everytime even after a fresh reboot of the gateway.

    All GW's are running R77.30 Jumbo 286. Anyone ever heard of this. We had a case opened a few months back but got no where. Any advice would be greatly appreciated.



    Thanks -pat

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,632
    Rep Power
    9

    Default Re: Tenable Scan opening ports dynamically on GW

    I haven't heard of that. I would do a packet capture and see if you can verify it really looks like a SMTP server. Does anything show up in the logs of the secondary? What blades do you have enabled also?

  3. #3
    Join Date
    2007-05-25
    Posts
    207
    Rep Power
    12

    Default Re: Tenable Scan opening ports dynamically on GW

    Thanks for the response. The ports that are opened up and start listening when doing a netstat are: 35723,36873,41251,44422,45674,45960,47735,49595,51 232,54766,56675,58281,60627,64168

    We have all blades on except DLP. We have other identical gateways in our network that do not do this. Its strange that its only on one gateway in the cluster as well. I'll have to dig into the logs a bit more and probably re-open the case.

    I just thought I would ask to see if anyone else has run into this type of thing.

    Appreciate the response.

    -pat

  4. #4
    Join Date
    2007-05-25
    Posts
    207
    Rep Power
    12

    Default Re: Tenable Scan opening ports dynamically on GW

    I just noticed that the ports on the 2 gateways are a little different between the gateways, but still get tagged as "SMTP Server Non-standard Port Detection back door vulnerabilities"

    -pat

  5. #5
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,485
    Rep Power
    16

    Default Re: Tenable Scan opening ports dynamically on GW

    A better question might be why you are allowing traffic to "any" port to your firewall from anywhere, or even a specific network.
    That's not considered best practice.

    In any case, those "random" ports are used by the various software blades to "fold" connections to when needed.
    Some of them might indeed respond as SMTP when probed by a Tenable or similar.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  6. #6
    Join Date
    2007-05-25
    Posts
    207
    Rep Power
    12

    Default Re: Tenable Scan opening ports dynamically on GW

    Thanks for the responses. Yes I agree about not allowing "any" from the scan networks but We lost that argument.
    The PCI auditors have full access for their scanners to scan all the gateways and management servers.

    It would be nice for Check Point to be able to explain why this happens though and why not on all of our gateways running the same software and jumbos. Or at least have it happen on both clusters.

    We also have on on-going case "RFE" because the scanner is picking up TLS1.0 on Threat Emulation port 18194. Because of this we failed our PCI audit on another set of gateways.

    -pat

  7. #7
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,229
    Rep Power
    13

    Default Re: Tenable Scan opening ports dynamically on GW

    As mentioned earlier typically these high ports are used by security server processes to "fold" connections during a "process space trip" as I coined it in my book. Typically the only connections coming into these ports are from other components of the firewall itself.

    To run down which specific process/security server is listening on these ports, run netstat -anp on the firewall which will show the process ID (PID) and process name associated with each listening port. Then have a look at sk97638: Check Point Processes and Daemons to identify the function of the various processes.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  8. #8
    Join Date
    2007-05-25
    Posts
    207
    Rep Power
    12

    Default Re: Tenable Scan opening ports dynamically on GW

    Thanks again.

    I do have both of your books. Very good reading. I'll have another look.
    Clearly these appliances are not the same although we cannot find any differences among them and giving senior mgmt a reason that makes sense has been tough. We will probably do a rebuild or hope the problem will go away when we upgrade to 80.10

    -pat

Similar Threads

  1. Nessus Scan
    By juztoopi in forum R77.30
    Replies: 0
    Last Post: 2018-03-13, 11:20
  2. Checkpoint newbie, confusion over opening ports with hide NAT
    By btjtaylor in forum NAT (Network Address Translation)
    Replies: 5
    Last Post: 2014-12-19, 09:13
  3. Replies: 1
    Last Post: 2013-11-28, 09:07
  4. Port Scan reveals open ports
    By tkalas in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 3
    Last Post: 2008-04-17, 12:26
  5. Different between Host Port scan and Sweep Scan Protection
    By stephan411 in forum IPS Blade (Formerly SmartDefense)
    Replies: 1
    Last Post: 2006-12-08, 13:25

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •