Support Center > Search Results > SecureKnowledge Details
Services allowed by "Accept Control Connections" option in "Global Properties" Technical Level
Solution

The Control Connections enabled by the "Accept control connections" property in "Global Properties" (located in the "Policy" menu in SmartDashboard) are listed below:

  1. Extranet connections:
    • TCP port 18262 and TCP port 18263 ("ExNet_PK" and "ExNet_Resolve") are allowed from all Security Management Servers to anywhere, and from anywhere to the local machine (or local Cluster IP address).

    • A few "ExtraNet" initializations are done. If using "ExtraNet", you should add "mark_extranet_flag;" to the relevant "user.def" file (see sk98239).

  2. FWD connections:
    • FWD_TOPO (TCP port 264) is enabled from anywhere to all Security Management Servers and all Security Gateways.

    • FWD_SVC (TCP port 256) is enabled between all Security Management Servers and all Security Gateways.

    • FWD_LOG (TCP port 257) is enabled from all Security Gateways to all Security Management Servers.

  3. OPSEC connections:
    • allow CPMI (TCP port 18190) from GUI clients and reporting clients to Security Management Server. On the Security Management Server, accept the reverse connection (sport=CPMI) even if the direct connection is not in the tables.

    • allow AMON (TCP port 18192) from all Security Management Servers to all Security Management Servers and Security Gateways.

    • allow SAM (TCP port 18183) from all Security Management Servers to all Security Gateways.

    • allow UFP (TCP port 18182) from local machine to UFP servers.

    • allow CVP (TCP port 18181) from local machine to CVP servers.

    • allow LEA (TCP port 18184) from reporting servers to Security Management Servers.

    • allow ELA (TCP port 18187) from UserAuthority servers to Security Management Servers.

    • allow OMI (TCP port 18185) and OMI_SIC (TCP port 18186) from reporting servers to Security Management Servers.

  4. VPN
    • allow ISAKMPD (TCP port 500 and UDP port 500) to local machine. Allow the reverse connection (sport=ISAKMPD) even if it is not in the tables.

    • allow ICA_PULL (TCP port 18210) from all Security Gateways to all Security Management Servers.

      Note: The ICA services aren't solely for VPN use. Initial SIC connectivity and subsequent certificate distribution depend on these ports.


    • allow ICA_PUSH (TCP port 18211) from all Security Management Servers to all Security Gateways and Security Management Servers, and to UserAuthority machines.

    • allow ICA_SERVICES (TCP port 18264) to the Security Management Server. Allow ICA_SERVICES connections to local machine, but redirect them to the Security Management Server.

    • specially handle RDP (UDP port 259) connections to Security Gateways. To do this manually, you should add "accept_rdp_port;" to the relevant "user.def" file (see sk98239).

    • tunnel connections on TUNNEL_TEST port (UDP port 18234) to designated hosts.

    • accept L2TP (UDP port 1701) between local machine and SC/SR machine.

    • accept SCV connections (UDP port 18233) from SCV gateways and policy servers.

  5. DAG
    • allow CPD, FWD_SVC, CPRID (TCP port 18208), ICA_PUSH, AMON and SAM from Security Management Servers to everywhere, if there are DAG modules.

  6. Other Check Point connections:
    • allow CPD (TCP port 18191) between Security Management Server and Security Gateways. Accept the reverse connection (sport=CPD) if the local Security Gateway is the source, even if the direct connection is not in the tables.

    • allow RTM (TCP port 18202) from the Security Management Server to RTM clients.

    • allow CP_REDUNDANT (TCP port 18221) between Security Management Servers.

    • allow CP_reporting (TCP port 18205) from GUI clients to reporting servers.

    • allow Policy Server Logon (TCP port 18231) from anywhere to policy servers.

 

Related solutions:

   sk52421 (Ports used by Check Point software)

   sk60331 (VPN connection is not establishing)

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment