https://live.paloaltonetworks.com/t5/general-topics/multiple-high-critical-alert-detected-via-port-18264-possible-fp/m-p/1245780#M125850 <P>Hi ,</P> <P>&nbsp;</P> <P>i would like to seek clarification&nbsp;clarification regarding a threat detection observed on our Palo Alto firewall, which we believe may be a false positive. During our review of the threat log, we noticed that the detection from below source and destination via port 18264 references several filenames as win.ini, fake.cgi, note.txt, jhjr60x8.kspx<BR /><BR /></P> <P>These filenames do not appear to relevant in the context of the environment, as the traffic was observed between Check Point devices communicating with each other over TCP port 18264, which is believed to be used for Check Point proprietary internal services (e.g. update, synchronization, or certificate-related communication). Upon further review on the traffic under application found “incomplete”, “checkpoint-cpd” and “web-browsing”.</P> <P>&nbsp;</P> <P>=======================================================</P> <P>URL/Filename</P> <P>win.ini</P> <P>&nbsp;</P> <P>Threat/Content Name</P> <P>Microsoft Windows win.ini Access Attempt Detected(30851)</P> <P>YAWS Unauthenticated Remote File Disclosure Vulnerability(58618)</P> <P>-------------------------------------------------------------------------</P> <P>URL/Filename</P> <P>fake.cgi</P> <P>&nbsp;</P> <P>Threat/Content Name</P> <P>Microsoft Windows win.ini Access Attempt Detected(30851)</P> <P>--------------------------------------------------------------------------</P> <P>URL/Filename</P> <P>note.txt</P> <P>&nbsp;</P> <P>Threat/Content Name</P> <P>Microsoft Windows win.ini Access Attempt Detected(30851)</P> <P>-----------------------------------------------------------------------</P> <P>URL/Filename</P> <P>jhjr60x8.kspx&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>Threat/Content Name</P> <P>Generic Cross-Site Scripting Vulnerability(94328)</P> <P>=============================================================</P> <P>&nbsp;</P> <P>Any advise?</P> <P>&nbsp;</P> Fri, 16 Jan 2026 09:42:13 GMT Fariq_Zaidi 2026-01-16T09:42:13Z https://live.paloaltonetworks.com/t5/general-topics/multiple-high-critical-alert-detected-via-port-18264-possible-fp/m-p/1245780#M125850 <P>Hi ,</P> <P>&nbsp;</P> <P>i would like to seek clarification&nbsp;clarification regarding a threat detection observed on our Palo Alto firewall, which we believe may be a false positive. During our review of the threat log, we noticed that the detection from below source and destination via port 18264 references several filenames as win.ini, fake.cgi, note.txt, jhjr60x8.kspx<BR /><BR /></P> <P>These filenames do not appear to relevant in the context of the environment, as the traffic was observed between Check Point devices communicating with each other over TCP port 18264, which is believed to be used for Check Point proprietary internal services (e.g. update, synchronization, or certificate-related communication). Upon further review on the traffic under application found “incomplete”, “checkpoint-cpd” and “web-browsing”.</P> <P>&nbsp;</P> <P>=======================================================</P> <P>URL/Filename</P> <P>win.ini</P> <P>&nbsp;</P> <P>Threat/Content Name</P> <P>Microsoft Windows win.ini Access Attempt Detected(30851)</P> <P>YAWS Unauthenticated Remote File Disclosure Vulnerability(58618)</P> <P>-------------------------------------------------------------------------</P> <P>URL/Filename</P> <P>fake.cgi</P> <P>&nbsp;</P> <P>Threat/Content Name</P> <P>Microsoft Windows win.ini Access Attempt Detected(30851)</P> <P>--------------------------------------------------------------------------</P> <P>URL/Filename</P> <P>note.txt</P> <P>&nbsp;</P> <P>Threat/Content Name</P> <P>Microsoft Windows win.ini Access Attempt Detected(30851)</P> <P>-----------------------------------------------------------------------</P> <P>URL/Filename</P> <P>jhjr60x8.kspx&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>Threat/Content Name</P> <P>Generic Cross-Site Scripting Vulnerability(94328)</P> <P>=============================================================</P> <P>&nbsp;</P> <P>Any advise?</P> <P>&nbsp;</P> Fri, 16 Jan 2026 09:42:13 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-high-critical-alert-detected-via-port-18264-possible-fp/m-p/1245780#M125850 Fariq_Zaidi 2026-01-16T09:42:13Z https://live.paloaltonetworks.com/t5/general-topics/multiple-high-critical-alert-detected-via-port-18264-possible-fp/m-p/1245789#M125852 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/225107">@Fariq_Zaidi</a>&nbsp;,</P> <P>&nbsp;</P> <P>It's highly plausible that you're looking at a false positive. Check Point devices talking to each other often looks like malicious noise to a firewall that isn't expecting those proprietary strings.</P> <P data-path-to-node="17">If this traffic is strictly between your management server and gateways (internal only), the risk is near zero and you could add&nbsp;Threat Exceptions for those IPs.</P> <P data-path-to-node="17">&nbsp;</P> <P data-path-to-node="17">If you have enabled PCAP on your threat logs you can see exactly what the data looks like. If it's a bunch of binary/hex that just <I data-path-to-node="13,1,2,0" data-index-in-node="86">happens</I> to have "win" in it, you have your proof.</P> <P data-path-to-node="17">&nbsp;</P> <P data-path-to-node="17">Kind regards,</P> Fri, 16 Jan 2026 10:29:40 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-high-critical-alert-detected-via-port-18264-possible-fp/m-p/1245789#M125852 kiwi 2026-01-16T10:29:40Z