topic Re: AWS, GWLB vs. FTP in Cloud Firewall

AWS, GWLB vs. FTP

vinceneil666 — Sat, 21 Jan 2023 10:32:03 GMT

Hi,

Recently I set up an environment in AWS for a customer, utilizing the cloudformation templates available at:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk111013

I did the top one, autoscaling group, conmmfigured for gateway loadbalancers.

Everything is working fine, except a FTP connection. The FTP is doing a couple (data and controll) of connections, and the first one goes over one of the firewalls, but then the other connection moves over to the other firewall...and we are unable to get the connection up.

Have anyone else had this issue, and is there some workaround - both "dirty" and proper ? 🙂

Re: AWS, GWLB vs. FTP

PhoneBoy — Sat, 21 Jan 2023 16:13:13 GMT

Curious why FTP and not scp/sftp.
Is it active mode FTP or passive?

Re: AWS, GWLB vs. FTP

vinceneil666 — Thu, 26 Jan 2023 12:59:58 GMT

This is some legacy stuff, we have migrated tons of services and this FTP stuff is something that will be gone within the year/ next year - so they have decided on not working on changing it..its towards a 3rd party, and will trigger to much work. At least, that's what have been decided 🙂

Passive FTP

Re: AWS, GWLB vs. FTP

vinceneil666 — Fri, 27 Jan 2023 08:17:57 GMT

I got word back from TAC on this, and it is verified to be an design limitation - it will not work on this setup. So pretty much the only option is to have it changed to SCP.

Re: AWS, GWLB vs. FTP

Machine_Head — Fri, 27 Jan 2023 10:25:44 GMT

Just create another rule for return traffic 😉

Re: AWS, GWLB vs. FTP

PhoneBoy — Fri, 27 Jan 2023 17:59:30 GMT

FTP in particular communicates an IP address and port as part of the command, even in Passive mode.
I suspect this is not getting translated somewhere along the way, which will definitely cause FTP to fail.
scp/sftp is definitely much simpler in this regard since it's a single TCP connection.

Re: AWS, GWLB vs. FTP

abihsot__ — Tue, 31 Jan 2023 15:37:57 GMT

well, not very elegant, isn't it?

I see a trouble here as companies also moving legacy stuff in the cloud too.

Re: AWS, GWLB vs. FTP

abihsot__ — Tue, 31 Jan 2023 15:41:28 GMT

unrelated to FTP issue, does healtcheck (tcp/8117) is successful for your gateways? Not sure what I did wrong, but on my side it is "unhealthy", however it seems working fine.

EC2 -> Load Balancing -> Target Groups -> "Targets" tab

Re: AWS, GWLB vs. FTP

Jihed — Wed, 01 Feb 2023 14:23:00 GMT

Hello,

We have the same issue. Our setup is very similar, 4 Gateways in an ASG sitting behind a GWLB. This behaviour is due to the fact that the firewalls do not share session details, we confirmed by looking at our on-prem devices that are setup in HA pairs.

Our first instinct was to ask the App team to move off FTP, but they said that would take a while and it also involves infrastructure changes in the DC. Meanwhile the end customer is suffering is not getting their files...

Our solution was to implement this sk33760

The app transfers 2000 files give or take a few. So we went up to allowing 500 pending connections and the problem is gone. We have not observed any performance issues.

The setting applies to the whole domain and cannot be applied to a set of firewalls.

I hope this helps.