https://community.checkpoint.com/t5/Firewall-and-Security-Management/Why-is-Passive-Ftp-not-working/m-p/209343#M39665 <P>Can you do zdebug to see if it gives specific reason for the drop?</P> <P>Andy</P> Thu, 21 Mar 2024 00:48:19 GMT the_rock 2024-03-21T00:48:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Why-is-Passive-Ftp-not-working/m-p/209303#M39649 <P>Ive been having trouble stablishing a passive FTP connection with a host that resides in a public IP.&nbsp;</P><P>The connection itself works, but when i try to transfer or list a file i keep receiving reject from the firewall indicating error&nbsp;(227)</P><P>Ive followed the instructions on the sk on this error (227) which is&nbsp;<A href="https://support.checkpoint.com/results/sk/sk171375" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk171375</A></P><P>Remove all FTP services from the rule and use only ftp service. If you want only to use Passive mode FTP, use only ftp-pasv service in the rule. (In addition, this applies if you do not use multiple services with the same port in the same rule.)</P><P><BR />Despite the rule is matched, it still gets rejected, as soon as an ls command is issued on the session. High tcp ports are also allowed.</P><P>&nbsp;</P><P>Keep receiving the&nbsp; the same message (227)</P><P>I understand that it get's rejected because the client is sending a port command when working in passive mode, but my linux is configured to work on passive mode and it works ok with other hosts... Also the connection from a network outside of the scope of the firewall also work.&nbsp;</P><P>I dont quite understand why does the host try to send a port command, even when the firewall detects it is a passive ftp connection, as it get matched with rule 6..</P><P>Wyh does this happen?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 20 Mar 2024 16:22:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Why-is-Passive-Ftp-not-working/m-p/209303#M39649 Jveas 2024-03-20T16:22:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Why-is-Passive-Ftp-not-working/m-p/209343#M39665 <P>Can you do zdebug to see if it gives specific reason for the drop?</P> <P>Andy</P> Thu, 21 Mar 2024 00:48:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Why-is-Passive-Ftp-not-working/m-p/209343#M39665 the_rock 2024-03-21T00:48:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Why-is-Passive-Ftp-not-working/m-p/209344#M39666 <P>The reject message specifies the exact reason: because a PORT command is received when PASV mode is expected based on the fact you’re only allowing Passive mode via the Access Policy.<BR />The service matched ftp-pasv because that’s what you have in your policy.<BR />It uses the same port as regular FTP, just with different enforcement logic, namely PORT commands are not allowed with PASV.</P> <P>This is expected behavior.</P> Thu, 21 Mar 2024 01:07:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Why-is-Passive-Ftp-not-working/m-p/209344#M39666 PhoneBoy 2024-03-21T01:07:39Z