Migration from Cisco ASA to Checkpoint - FTP/NAS issue

charlie — Tue, 03 Aug 2021 09:28:55 GMT

Hello,

We recently migrate from Cisco ASA cluster to a new Checkpoint cluster.

The configuration has been converted by the Checkpoint migration tool.

Now we are facing few strange problem

Server1 to Server2 NAS flow KO

Server3 to Server4 FTP flow KO

From the log I can see that the Gateway block the FTP flow that use the high-port.

This is strange because there isn't a rule on ASA that allow the high-port from S1 to S2.

More or less is the same for the NAS: the Gateway block certain port related the NAS protocol but there is no rule on ASA.

It could be that on ASA we have to allow only the main port like ftp port and not the high port related the same flow as per implicit allow but the CP require and explicit rule for that?

All post-migration problem are related a flow that start with a specific port and continue with other port like FTP

Regards

Re: Migration from Cisco ASA to Checkpoint - FTP/NAS issue

Ofir_Shikolski — Tue, 03 Aug 2021 10:00:23 GMT

Hi,

It could be that FTP is related to passive / active mode ;

please check the traffic and adjust as needed .

- You can find the file : CiscoNameToNumber.csv - it will map ftp service to port 21.

- CP_KnownTcpPorts.csv will map port 21 to Check Point FTP service.

There is no NAS service with SmartMove - which port are you referring to ?

I also cannot find it with Iana : https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

Did you had any errors ,warnings with the file ? you can view it form the results html file.

P.S:

You can ping me offline : sc@checkpoint.com

topic Migration from Cisco ASA to Checkpoint - FTP/NAS issue in SmartMove

Migration from Cisco ASA to Checkpoint - FTP/NAS issue

Re: Migration from Cisco ASA to Checkpoint - FTP/NAS issue