CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 2 of 2

Thread: What outbound ports should be allowed for http and https traffic

  1. #1
    Join Date
    Rep Power

    Default What outbound ports should be allowed for http and https traffic

    Our internet browsing rule allows our employees to go out to the internet on http and https, but does not restrict any ports. So, they can type https://www.mysite.com:9876 and go out on 9876. We would like to tighten that down. Is there a best practice for what ports to allow employees to go out on?

    We have r80.20

    Any help is appreciated. We were looking at this article which is what made us want to tighten our rules down.


  2. #2
    Join Date
    DFW, TX
    Rep Power

    Default Re: What outbound ports should be allowed for http and https traffic

    The closest thing to a "best practice" is a tautology: allow your users to reach what they need.

    Thanks to "cloud" nonsense and IPv4 exhaustion, a lot of public services are being run on effectively-random IPs and high ports. If you allow only a handful of ports out, you will find all of the other needed ports pretty quickly, but you will do so by causing outages.

    I, personally, would be more likely to search in SmartLog for the UUID of the rule which is currently allowing traffic, export a million records, and process the log data to see which ports are used and how frequently. If it's an obvious port or a weird port used extremely commonly, I would just add rules to allow it above the existing, broad rule. For weird ports hit less frequently, I would then look at the sources and destinations, and see if I can get in touch with either. After repeating this process for a while, you should have a pretty good list of what is needed, and you can disable the broad rule. Takes time and a fair amount of effort, but this path wouldn't cause outages.

Similar Threads

  1. URL filtering, HTTPS Inspection, HTTP/HTTPS Proxy
    By bhavinjbhatt in forum R75.40 (GAiA)
    Replies: 0
    Last Post: 2015-07-07, 13:33
  2. Different Outbound CA Certificates for HTTPS Inspection
    By Reevsie147 in forum Web Security Blade (Formerly Web Intelligence)
    Replies: 1
    Last Post: 2013-12-05, 11:15
  3. Command to see what https or http addresses are allowed
    By schynam in forum SSH (Secure Shell For Linux/SecurePlatform/IPSO)
    Replies: 5
    Last Post: 2012-03-18, 03:13
  4. Restricting ports for web-based traffic outbound
    By ChrisA in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 4
    Last Post: 2007-04-16, 04:27
  5. Redirect HTTP/HTTPS traffic?
    By ds5879 in forum Miscellaneous
    Replies: 1
    Last Post: 2006-11-15, 11:31

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts