Solved: AWS, GWLB vs. FTP

vinceneil666 · ‎2023-01-21

Hi,

Recently I set up an environment in AWS for a customer, utilizing the cloudformation templates available at:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I did the top one, autoscaling group, conmmfigured for gateway loadbalancers.

Everything is working fine, except a FTP connection. The FTP is doing a couple (data and controll) of connections, and the first one goes over one of the firewalls, but then the other connection moves over to the other firewall...and we are unable to get the connection up.

Have anyone else had this issue, and is there some workaround - both "dirty" and proper ? 🙂

vinceneil666 · ‎2023-01-27

I got word back from TAC on this, and it is verified to be an design limitation - it will not work on this setup. So pretty much the only option is to have it changed to SCP.

View solution in original post

PhoneBoy · ‎2023-01-21

Curious why FTP and not scp/sftp.
Is it active mode FTP or passive?

vinceneil666 · ‎2023-01-26

This is some legacy stuff, we have migrated tons of services and this FTP stuff is something that will be gone within the year/ next year - so they have decided on not working on changing it..its towards a 3rd party, and will trigger to much work. At least, that's what have been decided 🙂

Passive FTP

PhoneBoy · ‎2023-01-27

FTP in particular communicates an IP address and port as part of the command, even in Passive mode.
I suspect this is not getting translated somewhere along the way, which will definitely cause FTP to fail.
scp/sftp is definitely much simpler in this regard since it's a single TCP connection.

vinceneil666 · ‎2023-01-27

I got word back from TAC on this, and it is verified to be an design limitation - it will not work on this setup. So pretty much the only option is to have it changed to SCP.

Machine_Head · ‎2023-01-27

Just create another rule for return traffic 😉

abihsot__ · ‎2023-01-31

well, not very elegant, isn't it?

I see a trouble here as companies also moving legacy stuff in the cloud too.

abihsot__ · ‎2023-01-31

unrelated to FTP issue, does healtcheck (tcp/8117) is successful for your gateways? Not sure what I did wrong, but on my side it is "unhealthy", however it seems working fine.

EC2 -> Load Balancing -> Target Groups -> "Targets" tab

Jihed · ‎2023-02-01

Hello,

We have the same issue. Our setup is very similar, 4 Gateways in an ASG sitting behind a GWLB. This behaviour is due to the fact that the firewalls do not share session details, we confirmed by looking at our on-prem devices that are setup in HA pairs.

Our first instinct was to ask the App team to move off FTP, but they said that would take a while and it also involves infrastructure changes in the DC. Meanwhile the end customer is suffering is not getting their files...

Our solution was to implement this sk33760

The app transfers 2000 files give or take a few. So we went up to allowing 500 pending connections and the problem is gone. We have not observed any performance issues.

The setting applies to the whole domain and cannot be applied to a set of firewalls.

I hope this helps.

Are you a member of CheckMates?

AWS, GWLB vs. FTP