Check Point FireWall-1
aka securemote, fw1
Check Point's SecuRemote/management service on 264 (and 257/258/18xxx). The topology service can leak the internal network layout and the firewall/management hostname before you authenticate.
Ports
| Port | Proto | Notes |
|---|---|---|
264 | tcp | SecuRemote topology |
18264 | tcp | ICA / cert services |
Fingerprint
- nmap detects Check Point FW-1 on 264
- SecuRemote topology request returns the firewall name
Exploitation primitives
- Pre-auth topology download reveals the internal network and firewall/object names
- Leaks the management/gateway hostname (useful for follow-on attacks)
Overview
Check Point’s SecuRemote on 264 can disclose internal topology and the firewall’s name without credentials — handy recon against a perimeter device.
Enumeration
Identify the service:
nmap -p264 -sV <TARGET>Pull the firewall hostname / topology with the classic probe:
python2 cpd.py <TARGET>Hardening
Disable anonymous topology downloads, restrict SecuRemote ports to known clients, and keep the gateway patched.