The Control Connections enabled by the "
Accept control connections" property in "
Global Properties" (located in the "
Policy" menu in SmartDashboard) are listed below:
- Extranet connections:
- TCP port 18262 and TCP port 18263 ("ExNet_PK" and "ExNet_Resolve") are allowed from all Security Management Servers to anywhere, and from anywhere to the local machine (or local Cluster IP address).
- A few "ExtraNet" initializations are done. If using "ExtraNet", you should add "
mark_extranet_flag;" to the relevant "
user.def" file (see sk98239).
- FWD connections:
- FWD_TOPO (TCP port 264) is enabled from anywhere to all Security Management Servers and all Security Gateways.
- FWD_SVC (TCP port 256) is enabled between all Security Management Servers and all Security Gateways.
- FWD_LOG (TCP port 257) is enabled from all Security Gateways to all Security Management Servers.
- OPSEC connections:
- allow CPMI (TCP port 18190) from GUI clients and reporting clients to Security Management Server. On the Security Management Server, accept the reverse connection (sport=CPMI) even if the direct connection is not in the tables.
- allow AMON (TCP port 18192) from all Security Management Servers to all Security Management Servers and Security Gateways.
- allow SAM (TCP port 18183) from all Security Management Servers to all Security Gateways.
- allow UFP (TCP port 18182) from local machine to UFP servers.
- allow CVP (TCP port 18181) from local machine to CVP servers.
- allow LEA (TCP port 18184) from reporting servers to Security Management Servers.
- allow ELA (TCP port 18187) from UserAuthority servers to Security Management Servers.
- allow OMI (TCP port 18185) and OMI_SIC (TCP port 18186) from reporting servers to Security Management Servers.
- allow ISAKMPD (TCP port 500 and UDP port 500) to local machine. Allow the reverse connection (sport=ISAKMPD) even if it is not in the tables.
- allow ICA_PULL (TCP port 18210) from all Security Gateways to all Security Management Servers.
Note: The ICA services aren't solely for VPN use. Initial SIC connectivity and subsequent certificate distribution depend on these ports.
- allow ICA_PUSH (TCP port 18211) from all Security Management Servers to all Security Gateways and Security Management Servers, and to UserAuthority machines.
- allow ICA_SERVICES (TCP port 18264) to the Security Management Server. Allow ICA_SERVICES connections to local machine, but redirect them to the Security Management Server.
- specially handle RDP (UDP port 259) connections to Security Gateways. To do this manually, you should add "
accept_rdp_port;" to the relevant "
user.def" file (see sk98239).
- tunnel connections on TUNNEL_TEST port (UDP port 18234) to designated hosts.
- accept L2TP (UDP port 1701) between local machine and SC/SR machine.
- accept SCV connections (UDP port 18233) from SCV gateways and policy servers.
- allow CPD, FWD_SVC, CPRID (TCP port 18208), ICA_PUSH, AMON and SAM from Security Management Servers to everywhere, if there are DAG modules.
- Other Check Point connections:
- allow CPD (TCP port 18191) between Security Management Server and Security Gateways. Accept the reverse connection (sport=CPD) if the local Security Gateway is the source, even if the direct connection is not in the tables.
- allow RTM (TCP port 18202) from the Security Management Server to RTM clients.
- allow CP_REDUNDANT (TCP port 18221) between Security Management Servers.
- allow CP_reporting (TCP port 18205) from GUI clients to reporting servers.
- allow Policy Server Logon (TCP port 18231) from anywhere to policy servers.
sk52421 (Ports used by Check Point software)
sk60331 (VPN connection is not establishing)