topic Re: Question about sk171375 in Firewall and Security Management

Question about sk171375

Herschel_Liang — Mon, 15 Aug 2022 17:00:01 GMT

Recently, I'm facing an issue like sk171375 symptom. I'm just curious that the sk explains the cause "This causes an issue where the Security Gateway chooses an incorrect protocol handler to deal with the Passive mode FTP connection:".

What is the order of it? How to select priority when the CP rule configures multiple services on the same port? Or is it dynamic allocation? What is it according to?

Re: Question about sk171375

the_rock — Mon, 15 Aug 2022 17:24:50 GMT

I know in the old days of CP (pre R80), this was ALWAYS fixed by one simple trick...change protocol type to "none" in service properties. In R80 and above, that does not exist, its bene replaced with "no item selected". Does it do same thing, I really cant say, as I never had a need to use it, but worth a try. You can create custom service with same port number and try.

Re: Question about sk171375

Herschel_Liang — Mon, 15 Aug 2022 23:57:58 GMT

Maybe something misunderstands. In my case, we configure it as sk171375 previously.

My question is "how to select which service will be hit when traffic goes through?". Because we configure it as a screenshot for a long time and it works fine. But we face rejecting alerts from last morning. After changing to the sk171375 solution, it works again. But it is a question left, why did it work previously, no change on that rule. How to select which service will be hit when traffic goes through? I'm just curious and just trying to figure out how it works

Re: Question about sk171375

the_rock — Tue, 16 Aug 2022 00:53:56 GMT

Do you have screenshots of the drops/alerts? If I were you, I would open TAC case to get an official response, but my educated guess is they would most likely tell you to follow the sk and since you said that worked, then there would probably nothing else to try.

Re: Question about sk171375

Herschel_Liang — Tue, 16 Aug 2022 06:32:10 GMT

Yes, I have open a TAC case, but it seems that no too depth responce about my question.

===================================================================================================

"Multiple configured FTP services in the same rule allow the connections to the FTP server. This causes an issue where the Security Gateway chooses an incorrect protocol handler to deal with the Passive mode FTP connection". It might work before if the ftp or ftp-pasv service handler was chosen, but you can't control that which service will be chosen by the firewall if you have multiple services with the same tcp port defined.

Re: Question about sk171375

_Val_ — Mon, 22 Aug 2022 14:40:31 GMT

Why would not you use just one FTP service in the rule? The answer from TAC is suggesting just that.

Re: Question about sk171375

the_rock — Mon, 22 Aug 2022 16:46:45 GMT

I agree with @_Val_ , what he says makes sense. Just out of curiosity, was there a good reason in the past as to WHY you were using all those other services? Because, at the end of the day, it would use port 21 regardless. Yes, it is true that data connection would start with port 20 initiated by the server, but then whatever is initiated by the client would come on port 21, so sk seems pretty logical.