The PhoneBoy Blog

FireWall-1 FAQ: Ports used by FireWall-1 4.1 and earlier

Last Modified: 12 May 2003

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

FireWall-1 uses many ports for communication. The following list explains the ports that FireWall-1 uses

• TCP Port 256 is used for three important things:
• Exchange of CA and DH keys in FWZ and SKIP encryption between two FireWall-1 Management Consoles
• SecuRemote build 4005 and earlier uses this port to fetch the network topology and encryption keys from a FireWall-1 Management Console
• When instaling a policy, the management console uses this port to push the policy to the remote firewall.
• TCP Port 257 is used by a remote firewall module to send logs to a management console.
• TCP Port 258 is used by the fwpolicy remote GUI.
• TCP Port 259 is used for Client Authentication.
• UDP Port 259 is used in FWZ encryption to manage the encrypted session (SecuRemote and FireWall-1 to FireWall-1 VPNs).
• UDP Port 260 and UDP Port 161 are used for the SNMP daemon that Check Point FireWall-1 Provides.
• TCP Port 264 is used for Secure Client (SecuRemote) build 4100 and later to fetch network topology and encryption keys from a FireWall-1 Management Console
• TCP port 265, according to my 4.1SP1 objects.C, is labeled "Check Point VPN-1 Public Key Transfer Protocol." I'm guessing this is used by FireWall-1 to exchange public keys with other hosts.
• UDP Port 500 is used for ISAKMP key exchange between firewalls or between a firewall and a host running Secure Client.
• TCP Port 900 is used by FireWall-1's HTTP Client Authentication mechanism.
• TCP Ports above 1024 are generally any Security Servers that are active. The actual ports used by these servers will vary.
• UDP Port 2746 is used for UDP Encapsulation Mode.
• TCP Port 18181 is used for CVP (Content Vectoring Protocol, for anti-virus scanning).
• TCP Port 18182 is used for UFP (URL Filtering Protocol, for WebSense and the like).
• TCP Port 18183 is used for SAM (Suspicious Activity Monitoring, for intrusion detection).
• TCP Port 18184 is used for Log Export API (lea) .
• TCP Port 18207 is used to log onto the Policy Server for Secure Client.
• TCP Port 18208 is used for Check Point's Remote Installation Daemon.
• TCP Port 19090 User Authority simple protocol
• TCP Port 19191 is used for User Authentication API.
Note that access to ports 256, 257, 258, and 260 are generally permitted through the Policy Properties. To disable access to these ports, see the following FAQ: How can I disable everything in the rulebase properties in FireWall-1 4.1? Any of the authentication-related services listed above can be disabled by commenting out the appropriate entries in $FWDIR/conf/fwauthd.conf. The sam and lea ports can be disabled by commenting out the apporpriate lines in $FWDIR/conf/fwopsec.conf.