What is this, a cheese? the checkpoint ports

Posted on November 7, 2011

0



I have not seen such a Server with soo much opened ports like a Provider1. The communications on those ports are encrypted, but they are opened to everybody on the Lan of that server, so it should be strongly adviced to plan for a Checkpoint Firewall Management a separated Management LAN.
The processes are documentet in the Administration Guide, “Architecture and Processes” section:
http://supportcontent.checkpoint.com/documentation_download?ID=11683
Or in the well-known ATRG_NGX.pdf.
In the following post I describe the ports what I see in my enviroment, but it can be different on other systems if other applications (like connectra or eventia) are installed.

The command to check the open ports is

lsof

[Expert@provider1]# lsof -i -n | head
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2531 root 3u IPv4 4539 TCP *:ssh (LISTEN)
cpd 2728 root 9u IPv4 4845 TCP 10.250.11.31:8989 (LISTEN)
cpd 2728 root 10u IPv4 4851 TCP 10.250.11.31:18191 (LISTEN)
cpd 2728 root 13u IPv4 4882 TCP 10.250.11.31:18196 (LISTEN)
cpd 2728 root 41u IPv4 5516 TCP 10.250.11.31:18192 (LISTEN)
cpd 2728 root 42u IPv4 5858 TCP 10.250.11.31:33316->10.250.11.31:1024 (ESTABLISHED)
cpd 2728 root 44u IPv4 5785 TCP 10.250.11.31:44836->10.250.11.31:1024 (ESTABLISHED)
cpd 2728 root 45u IPv4 5806 TCP 10.250.11.31:8989->10.250.11.31:44763 (ESTABLISHED)
cpd 2728 root 46u IPv4 5859 TCP 10.250.11.31:59014->10.250.11.31:18190 (ESTABLISHED)

or netstat

[Expert@provider1]# netstat -nap | head
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 10.250.11.31:256 0.0.0.0:* LISTEN 2748/fwd
tcp 0 0 10.250.11.30:256 0.0.0.0:* LISTEN 2749/fwd
tcp 0 0 10.250.11.31:1024 0.0.0.0:* LISTEN 2748/fwd
tcp 0 0 10.250.11.30:1024 0.0.0.0:* LISTEN 2749/fwd
tcp 0 0 10.250.11.15:256 0.0.0.0:* LISTEN 2765/fwd
tcp 0 0 10.250.11.15:1024 0.0.0.0:* LISTEN 2765/fwd
tcp 0 0 10.250.11.15:18208 0.0.0.0:* LISTEN 3000/cprid
tcp 0 0 10.250.11.31:18209 0.0.0.0:* LISTEN 3244/cpca

lsof seems to better as it shows the processes better if you for example check it for ssh.

Tcp/Udp listening services of a CMA

This CMA has VPN configurations with VPN-1 Edges as well.

tcp 0 0 10.10.10.10:256 0.0.0.0:* LISTEN 9926/fwd off (0.00/0/0)
tcp 0 0 10.10.10.10:1024 0.0.0.0:* LISTEN 9926/fwd off (0.00/0/0)
tcp 0 0 10.10.10.10:18209 0.0.0.0:* LISTEN 9942/cpca off (0.00/0/0)
tcp 0 0 10.10.10.10:257 0.0.0.0:* LISTEN 9926/fwd off (0.00/0/0)
tcp 0 0 10.10.10.10:18210 0.0.0.0:* LISTEN 9942/cpca off (0.00/0/0)
tcp 0 0 10.10.10.10:18183 0.0.0.0:* LISTEN 9926/fwd off (0.00/0/0)
tcp 0 0 10.10.10.10:18184 0.0.0.0:* LISTEN 9926/fwd off (0.00/0/0)
tcp 0 0 10.10.10.10:18187 0.0.0.0:* LISTEN 9926/fwd off (0.00/0/0)
tcp 0 0 10.10.10.10:18221 0.0.0.0:* LISTEN 9927/fwm off (0.00/0/0)
tcp 0 0 10.10.10.10:18190 0.0.0.0:* LISTEN 9927/fwm off (0.00/0/0)
tcp 0 0 10.10.10.10:18191 0.0.0.0:* LISTEN 9916/cpd off (0.00/0/0)
tcp 0 0 10.10.10.10:18192 0.0.0.0:* LISTEN 9916/cpd off (0.00/0/0)
tcp 0 0 10.10.10.10:18196 0.0.0.0:* LISTEN 9916/cpd off (0.00/0/0)
tcp 0 0 10.10.10.10:18264 0.0.0.0:* LISTEN 9942/cpca off (0.00/0/0)
tcp 0 0 10.10.10.10:18265 0.0.0.0:* LISTEN 9942/cpca off (0.00/0/0)
tcp 0 0 10.10.10.10:8989 0.0.0.0:* LISTEN 9916/cpd off (0.00/0/0)
udp 0 0 10.10.10.10:9282 0.0.0.0:* 21541/sms off (0.00/0/0)

In the same order as above the processes that uses those ports (informations are mainly from Areasec)

256 fwd Check Point VPN-1 & FireWall-1 Service (Get topology information from SCt or CMA to FWM- Full synchronisation for HA configuration)
1024 ???
18209 cpca Protocol used in SIC for communication between FWM and ICA (status, issue, revoke)
257 fwd Check Point VPN-1 & FireWall-1 Logs
– Protocol used for delivering logs from FWM to SCt
– Protocol used for delivering logs from FWM to CMA or CLM
18210 cpca Check Point Internal CA Pull Certificate Service
– Protocol used by SIC for e.g. FWM pulling CA’s from SCt
18183 fwd Check Point OPSEC Suspicious Activity Monitor API
– Protocol e.g. for Block Intruder between SCt (or CMA) and FWM
18184 fwd Check Point OPSEC Log Export API
– Protocol for exporting logs from SCt
18187 fwd Check Point OPSEC Event Logging API
– Protocol for applications logging to the Firewall log at SCt
18221 fwm Check Point Redundant Management Protocol
– Protocol used for synchronizing primary and secondary SCt or CMA
– Protocol used for synchronizing primary and secondary MDS
18190 fwm Check Point Management Interface
– Protocol for communication between GUI and SCt
– Protocol for connections from MDG to MDS and CMA
18191 cpd Check Point Daemon Protocol
– Download of rulebase from SCt to FWM
– Fetching rulebase, from FWM to SCt or CMA when starting FWM
– Download of rulebase from MDS/CMA to FWM
18192 cpd Check Point Internal Application Monitoring
– Protocol for getting System Status, from SCt or MDS/CMA to FWM
18196 cpd used for CPEPS which is part of User Monitor.
18264 cpca Check Point Internal CA Fetch CRL and User Registration Services
– Protocol for Certificate Revocation Lists and registering users when using the Policy Server
– needed when e.g. FWM is starting
18265 cpca Check Point Internal CA Management Tools
– Protocol for managing the ICA, also used for central administration of certificates on SCt.
– needs to be started separately with the command cpca_client.
8989 cpd only internally used by CMA for Messaging (process: cpd)
9282 sms VPN-1 Embedded / SofaWare Management Server (SMS)
– Encrypted Protocol for communication between MM and Check Point Appliance (e.g. VPN-1 Edge)

Ports are defined in the following links, expect tcp 1024, what is this?
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk14510
http://www.fw-1.de/aerasec/ngx/ports-ngx.html

Tcp/Udp listening services of an MDS

tcp 0 0 10.10.10.11:256 0.0.0.0:* LISTEN 21435/fwd off (0.00/0/0)
tcp 0 0 10.10.10.11:1024 0.0.0.0:* LISTEN 21435/fwd off (0.00/0/0)
tcp 0 0 10.10.10.11:18208 0.0.0.0:* LISTEN 4465/cprid off (0.00/0/0)
tcp 0 0 10.10.10.11:18209 0.0.0.0:* LISTEN 21590/cpca off (0.00/0/0)
tcp 0 0 10.10.10.11:257 0.0.0.0:* LISTEN 21435/fwd off (0.00/0/0)
tcp 0 0 10.10.10.11:18210 0.0.0.0:* LISTEN 21590/cpca off (0.00/0/0)
tcp 0 0 10.10.10.11:18183 0.0.0.0:* LISTEN 21435/fwd off (0.00/0/0)
tcp 0 0 10.10.10.11:18184 0.0.0.0:* LISTEN 21435/fwd off (0.00/0/0)
tcp 0 0 10.10.10.11:18187 0.0.0.0:* LISTEN 21435/fwd off (0.00/0/0)
tcp 0 0 10.10.10.11:18221 0.0.0.0:* LISTEN 21436/fwm off (0.00/0/0)
tcp 0 0 10.10.10.11:18190 0.0.0.0:* LISTEN 21436/fwm off (0.00/0/0)
tcp 0 0 10.10.10.11:18191 0.0.0.0:* LISTEN 21434/cpd off (0.00/0/0)
tcp 0 0 10.10.10.11:18192 0.0.0.0:* LISTEN 21434/cpd off (0.00/0/0)
tcp 0 0 10.10.10.11:4434 0.0.0.0:* LISTEN 4353/cp_http_server off (0.00/0/0)
tcp 0 0 10.10.10.11:18196 0.0.0.0:* LISTEN 21434/cpd off (0.00/0/0)
tcp 0 0 10.10.10.11:18264 0.0.0.0:* LISTEN 21590/cpca off (0.00/0/0)
tcp 0 0 10.10.10.11:18265 0.0.0.0:* LISTEN 21590/cpca off (0.00/0/0)
tcp 0 0 10.10.10.11:8989 0.0.0.0:* LISTEN 21434/cpd off (0.00/0/0)

Strange ports:
We have a CMA where we do not use any kind of VPN and even there is a service on port 264:

tcp 0 0 10.10.10.30:264 0.0.0.0:* LISTEN 20994/fwd off (0.00/0/0)

CMA processes

  • cpd: SVN Foundation infrastructure process.
  • cpca: The Certificate Authority manager process. This process doesn’t run on Log Managers and Container MDSs.
  • fwd: Log server process.
  • fwm: Security Management server main process.
  • status_proxy: Status collection of SmartLSM Security Gateways. This process runs only on CMAs that were enabled for Large Scale Management.
  • sms: Manages communication (status collection, logs collection, policy update, configuration update) with UTM-1 Edge gateways. This process runs only on CMAs that manage UTM-1 Edge devices.

Example

/opt/CPmds-R70/customers/mycma01/CPshrd-R70/bin/cpd
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwd -n
  \_ cpca
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm

CMA processes with Edge Firewall

If The Firewall Policy in Smartdashboard contains any rule (or just VPN community?) configuration for an Edge Firewall, then after the first Policy Install the Sofaware Management Server will be started through a watchdog deamon:

/bin/sh /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/smsstart_wd
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/sms -confdir /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/sofaware

Processes for Polcy installation

Policy install on Firewall

Source CMA: mycma01
Destination Firewall: myfirewall
Policy name: VPN_test.W

1. Processes before Policy install (for Gateway in Smartdashboard)

/opt/CPmds-R70/customers/mycma01/CPshrd-R70/bin/cpd
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwd -n
  \_ cpca
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm
/bin/sh /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/smsstart_wd
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/sms -confdir /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/sofaware

2. After starting it “fwm load” starts

/opt/CPmds-R70/customers/mycma01/CPshrd-R70/bin/cpd
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwd -n
  \_ cpca
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm load -M -s99bd6f8 -p firewall -r /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/VPN_test myfirewall1
/bin/sh /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/smsstart_wd
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/sms -confdir /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/sofaware

.

/opt/CPmds-R70/customers/mycma01/CPshrd-R70/bin/cpd
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fw dbloadlocal -d /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/state/__tmp/CPDB
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwd -n
  \_ cpca
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm load -M -s99bd6f8 -p firewall -r /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/VPN_test myfirewall1
      \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fw_loader dbload mycma01
      \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fw_loader load -r -M /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/VPN_test.W myfirewall1
          \_ /bin/csh -f /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwc -DPROFILE_0 /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/VPN_test.pf myfirewall1
              \_ fwcomp /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/tmp/VPN_test.cpp myfirewall1
/bin/sh /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/smsstart_wd
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/sms -confdir /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/sofaware

.

/opt/CPmds-R70/customers/mycma01/CPshrd-R70/bin/cpd
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwd -n
  \_ cpca
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm load -M -s99bd6f8 -p firewall -r /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/VPN_test myfirewall1
      \_ [fw_loader] 
      \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fw_loader load -r -M /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/VPN_test.W myfirewall1
/bin/sh /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/smsstart_wd
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/sms -confdir /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/sofaware

3. Processes after policy install is ready

/opt/CPmds-R70/customers/mycma01/CPshrd-R70/bin/cpd
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwd -n
  \_ cpca
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm
/bin/sh /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/smsstart_wd
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/sms -confdir /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/sofaware

Policy install on Edge Firewall

Source CMA: mycma01
Destination Edge Firewall: Test-Edge
Policy name: VPN_test

1. Processes before Policy install (for Edge in Smartdashboard)

/opt/CPmds-R70/customers/mycma01/CPshrd-R70/bin/cpd
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwd -n
  \_ cpca
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm
/bin/sh /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/smsstart_wd
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/sms -confdir /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/sofaware

2. After starting it “fwm load” starts

/opt/CPmds-R70/customers/mycma01/CPshrd-R70/bin/cpd
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwd -n
  \_ cpca
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm load -M -s99bd6f8 -p sofaware_gw -r /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/VPN_test Test-Edge
/bin/sh /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/smsstart_wd
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/sms -confdir /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/sofaware

3. Sofaware Loader starts

/opt/CPmds-R70/customers/mycma01/CPshrd-R70/bin/cpd
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwd -n
  \_ cpca
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm load -M -s99bd6f8 -p sofaware_gw -r /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/VPN_test Test-Edge
      \_ /opt/CPmds-R70/customers/mycma01/CPEdgecmp-R70/bin/SofawareLoader -generate /opt/CPmds-R70/customers/mycma01/CPEdgecmp-R70/conf/VPN_test.W Test-Edge
          \_ /bin/csh -f /opt/CPmds-R70/customers/mycma01/CPEdgecmp-R70/bin/SofaWareTopology.sh /opt/CPmds-R70/customers/mycma01/CPEdgecmp-R70 Test-Edge VPN_test -new_format  
              \_ vpn sw_topology -dir /opt/CPmds-R70/customers/mycma01/CPEdgecmp-R70/tmp/ -name dummy -profile Test-Edge -policy VPN_test -new_format
/bin/sh /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/smsstart_wd
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/sms -confdir /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/sofaware

.

/opt/CPmds-R70/customers/mycma01/CPshrd-R70/bin/cpd
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwd -n
  \_ cpca
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm load -M -s99bd6f8 -p sofaware_gw -r /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/VPN_test Test-Edge
      \_ /opt/CPmds-R70/customers/mycma01/CPEdgecmp-R70/bin/SofawareLoader -generate /opt/CPmds-R70/customers/mycma01/CPEdgecmp-R70/conf/VPN_test.W Test-Edge
          \_ /bin/csh -f /opt/CPmds-R70/customers/mycma01/CPEdgecmp-R70/bin/SofaWareViaRules.sh /opt/CPmds-R70/customers/mycma01/CPEdgecmp-R70 VPN_test
              \_ vpn sw_vpn_policy -policy VPN_test -dir /opt/CPmds-R70/customers/mycma01/CPEdgecmp-R70/tmp// -filename VPN_test.via
/bin/sh /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/smsstart_wd
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/sms -confdir /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/sofaware

4. In case of HA CMA, the config will be replicated

/opt/CPmds-R70/customers/mycma01/CPshrd-R70/bin/cpd
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwd -n
  \_ cpca
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm
\_ fwarchive b -l -path /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/tmp/mgha -target backup.tar -conf /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/tmp/mgha/backup.conf
 \_ /opt/CPmds-R70/customers/mycma01/CPshrd-R70/util/gzip -f backup.tar
/bin/sh /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/smsstart_wd
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/sms -confdir /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/sofaware

5. Processes after policy install

/opt/CPmds-R70/customers/mycma01/CPshrd-R70/bin/cpd
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwd -n
  \_ cpca
/opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/fwm
/bin/sh /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/smsstart_wd
  \_ /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/bin/sms -confdir /opt/CPmds-R70/customers/mycma01/CPsuite-R70/fw1/conf/sofaware

Ports used on Gateway for SecureClient and Endpoint Connect.

sk62692

259 udp RDP (necessary only for MEP resolving and dynamic interface resolving)
264 tcp Topology download
500 udp IKEv1
500 tcp IKE over TCP
18231 tcp Policy Server login (seen on the network using SSL if SecureClient/Endpoint Connect has an IP address in the VPN Domain; not necessary to open this port if SecureClient/Endpoint Connect is not in the VPN Domain.)
50 IP ESP
2746 udp UDP encapsulation (encapsulates protocol 50 ESP packets)
4500 udp NAT-T port for industry standard udp encapsulation
443 tcp in visitor mode, all VPN traffic is tunneled through port 443
18234 udp Tunnel test – Used Through the Tunnel
18231 tcp Policy Server login (will be encrypted if SecureClient IP address is not in the VPN Domain)
18233 udp SCV update
Advertisement
Posted in: Checkpoint, Provider1, Security