PEN Test Query - Firewall responds to port 4104 but that doesn't show in PolicyManager

PotskiPotski
in Firebox - Dimension, Logging and Reporting

Hi,
This is my first post, so please be kind.

We recently had a pen test, which raised an issue with the certificate on our firewall, because "the host name doesn't match the supplied URI".

The tester is connecting on an IP and Port, not a host name, so that's not a surprise.

The part that confuses me, is that they found this on port 4104 (As well as others , I'm just using this one as my example).
Reading down the rules we have in policy manager, we don't have anything that should expose that port to the WAN.

I have since disabled client downloads, as we have no need for that functionality, hoping that that may remove the issue, but when I re-scan I still see the issue.

I have a few questions

How do I stop the firewall responding on these random ports ?

Is there a checklist of recommended settings that I can use to avoid things like this in future ?

Thank you

Potski

Comments

  • Bruce_BriggsBruce_Briggs

    There are a number of hidden WG policies that allow traffic.
    WG specific use ports are in the TCP 4100 range.
    No idea offhand about port 4104.

    You could try adding ports to the Blocked Ports list, and see if that really blocks them.

    You can open a support incident and ask WG what is using the open ports that your test found.

    Long ago, there was a list of the ports that WG used and what they are used for. I have not seen that list in a long time.

  • Bruce_BriggsBruce_Briggs

    Also, just to verify - these were found by a PEN test from outside the firewall, correct?

  • PotskiPotski

    Yes that's correct.
    I'll have a Google, see if I can find anything.
    Thanks

  • greggmh123greggmh123

    I have no idea what that port is for, but I can telnet to it from the inside and reach its HTTPS page with "502 Bad Gateway" showing. I scanned from outside using port 4100-4150 at https://www.grc.com/x/ne.dll?bh0bkyd2 and got Stealth status. I tested with my T20W on 12.6.4 firmware.

    Gregg Hill

  • rv@kaufmann.dkrv@kaufmann.dk
    A thought ... Try do a snmp walk on the inside interface. Maybe it will show what process is using port 4104.
  • greggmh123greggmh123

    According to an OLD manual, "Configuring WatchGuard VPN. Use WatchGuard VPN to implement branch office VPN between two Fireboxes. WatchGuard VPN uses udp port 4104." It is from "WatchGuard Firebox System User Guide" for Firebox System 4.6.

    Gregg Hill

  • Bruce_BriggsBruce_Briggs

    But your Telnet connection was for TCP port 4104 ?

  • greggmh123greggmh123

    Yes, telnet is TCP. It also answers in a web browser (HTTPS) on that port with "502 Bad Gateway" showing.

    Gregg Hill

  • rv@kaufmann.dkrv@kaufmann.dk

    This is the ports the box listen on per default

    tcpConnState.0.0.0.0.4100
    tcpConnState.0.0.0.0.4101
    tcpConnState.0.0.0.0.4102
    tcpConnState.0.0.0.0.4103
    tcpConnState.0.0.0.0.4104
    tcpConnState.0.0.0.0.4106
    tcpConnState.0.0.0.0.4107
    tcpConnState.0.0.0.0.4108
    tcpConnState.0.0.0.0.4109
    tcpConnState.0.0.0.0.4117
    tcpConnState.0.0.0.0.4118
    tcpConnState.0.0.0.0.4123
    tcpConnState.0.0.0.0.4124
    tcpConnState.0.0.0.0.4125
    tcpConnState.0.0.0.0.4126
    tcpConnState.0.0.0.0.4300
    tcpConnState.0.0.0.0.4301
    tcpConnState.0.0.0.0.8080
    tcpConnState.127.0.0.1.80

  • Bruce_BriggsBruce_Briggs

    While that shows the ports that the firewall is listening on, it doesn't explain why some of these ports are open.
    Nor how to close them

  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited February 2021

    @Potski 4104/TCP is the port the firewall uses for the wireless hotspot feature in order to do redirects on HTTPS.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/hotspot_custom_page_c.html

    If that feature is enabled, a policy should have been made with it to allow the response. If a rule was made for the pen test (something like -pentester IP- to Firebox, or a list of your external IPs to ANY port) the firewall may reply with redirects and such for unused features because the rules for them have effectively been made.
    -if- they had you make a rule like that, I'd suggest disabling it and running the scan again.

    I checked the ports you mentioned against known services on the firewall and found the following:
    4100/TCP Firewall, SSLVPN authentication and download, Access portal
    4101/TCP Firewall authentication auto-redirect (HTTP)
    4102/TCP Firewall authentication auto-redirect (HTTPS)
    4103/TCP Wireless hotspot auto-redirect (HTTP)
    4104/TCP Wireless hotspot auto-redirect (HTTPS)
    4106/TCP Wireless hotspot EULA page
    4107/TCP Log Collector Service
    4108/TCP WG X-path communication (via WSM, etc)
    4109/TCP Mgmt Server
    4117/TCP WSM
    4118/TCP WSM, SSH
    4123/TCP Firewall Quota error page
    4124/TCP Firewall Quota error page
    4125/TCP Proxy PAC file download
    4126/TCP HTTPS certificate portal
    4300/TCP Alt HTTPS port
    4301/TCP Alt HTTPS port
    8080/TCP WebUI
    80/TCP WebUI Redirect to HTTPS

    -James Carson
    WatchGuard Customer Support

  • Bruce_BriggsBruce_Briggs

    @James_Carson

    Thanks for the list of the uses for these ports

  • PotskiPotski

    Thank you to all that commented.
    In the end, I created block rules for the range of ports specified by @RVilhelmsen and @James_Carson above.

Sign In to comment.