CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 2 of 2

Thread: What outbound ports should be allowed for http and https traffic

  1. #1
    Join Date
    2017-02-06
    Posts
    14
    Rep Power
    0

    Default What outbound ports should be allowed for http and https traffic

    Our internet browsing rule allows our employees to go out to the internet on http and https, but does not restrict any ports. So, they can type https://www.mysite.com:9876 and go out on 9876. We would like to tighten that down. Is there a best practice for what ports to allow employees to go out on?

    We have r80.20

    Any help is appreciated. We were looking at this article which is what made us want to tighten our rules down.

    https://community.securityeducation....ress-Detection

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    308
    Rep Power
    13

    Default Re: What outbound ports should be allowed for http and https traffic

    The closest thing to a "best practice" is a tautology: allow your users to reach what they need.

    Thanks to "cloud" nonsense and IPv4 exhaustion, a lot of public services are being run on effectively-random IPs and high ports. If you allow only a handful of ports out, you will find all of the other needed ports pretty quickly, but you will do so by causing outages.

    I, personally, would be more likely to search in SmartLog for the UUID of the rule which is currently allowing traffic, export a million records, and process the log data to see which ports are used and how frequently. If it's an obvious port or a weird port used extremely commonly, I would just add rules to allow it above the existing, broad rule. For weird ports hit less frequently, I would then look at the sources and destinations, and see if I can get in touch with either. After repeating this process for a while, you should have a pretty good list of what is needed, and you can disable the broad rule. Takes time and a fair amount of effort, but this path wouldn't cause outages.
    Zimmie

Similar Threads

  1. URL filtering, HTTPS Inspection, HTTP/HTTPS Proxy
    By bhavinjbhatt in forum R75.40 (GAiA)
    Replies: 0
    Last Post: 2015-07-07, 13:33
  2. Different Outbound CA Certificates for HTTPS Inspection
    By Reevsie147 in forum Web Security Blade (Formerly Web Intelligence)
    Replies: 1
    Last Post: 2013-12-05, 11:15
  3. Command to see what https or http addresses are allowed
    By schynam in forum SSH (Secure Shell For Linux/SecurePlatform/IPSO)
    Replies: 5
    Last Post: 2012-03-18, 03:13
  4. Restricting ports for web-based traffic outbound
    By ChrisA in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 4
    Last Post: 2007-04-16, 04:27
  5. Redirect HTTP/HTTPS traffic?
    By ds5879 in forum Miscellaneous
    Replies: 1
    Last Post: 2006-11-15, 11:31

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •