I would like to seek a verification and clarification regarding a threat detection observed on our Palo Alto firewall, which we believe may be a false positive.
During our review of the threat log, we noticed that the detection from below source and destination via port 18264 references several filenames as win.ini, fake.cgi, note.txt, jhjr60x8.kspx. These filenames do not appear to relevant in the context of the environment, as the traffic was observed between Check Point devices communicating with each other over TCP port 18264, which is believed to be used for Check Point proprietary internal services (e.g. update, synchronization, or certificate-related communication). Upon further review on the traffic under application found “incomplete”, “checkpoint-cpd” and “web-browsing”.
