Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
vinceneil666
Advisor
Jump to solution

AWS, GWLB vs. FTP

Hi,

Recently I set up an environment in AWS for a customer, utilizing the cloudformation templates available at:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I did the top one, autoscaling group, conmmfigured for gateway loadbalancers.

Everything is working fine, except a  FTP connection. The FTP is doing a couple (data and controll) of connections, and the first one goes over one of the firewalls, but then the other connection moves over to the other firewall...and we are unable to get the connection up.

Have anyone else had this issue, and is there some workaround - both "dirty" and proper ? 🙂

0 Kudos
1 Solution

Accepted Solutions
vinceneil666
Advisor

I got word back from TAC on this, and it is verified to be an design limitation - it will not work on this setup. So pretty much the only option is to have it changed to SCP.

View solution in original post

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

Curious why FTP and not scp/sftp.
Is it active mode FTP or passive?

0 Kudos
vinceneil666
Advisor

This is some legacy stuff, we have migrated tons of services and this FTP stuff is something that will be gone within the year/ next year - so they have decided on not working on changing it..its towards a 3rd party, and will trigger to much work. At least, that's what have been decided 🙂 

Passive FTP

0 Kudos
PhoneBoy
Admin
Admin

FTP in particular communicates an IP address and port as part of the command, even in Passive mode.
I suspect this is not getting translated somewhere along the way, which will definitely cause FTP to fail.
scp/sftp is definitely much simpler in this regard since it's a single TCP connection.

0 Kudos
vinceneil666
Advisor

I got word back from TAC on this, and it is verified to be an design limitation - it will not work on this setup. So pretty much the only option is to have it changed to SCP.

0 Kudos
Gojira
Collaborator
Collaborator

Just create another rule for return traffic 😉

0 Kudos
abihsot__
Advisor

well, not very elegant, isn't it?

I see a trouble here as companies also moving legacy stuff in the cloud too. 

0 Kudos
abihsot__
Advisor

unrelated to FTP issue, does healtcheck (tcp/8117) is successful for your gateways? Not sure what I did wrong, but on my side it is "unhealthy", however it seems working fine.

EC2 -> Load Balancing -> Target Groups -> "Targets" tab

0 Kudos
Jihed
Explorer

Hello,

We have the same issue. Our setup is very similar, 4 Gateways in an ASG sitting behind a GWLB. This behaviour is due to the fact that the firewalls do not share session details, we confirmed by looking at our on-prem devices that are setup in HA pairs.

Our first instinct was to ask the App team to move off FTP, but they said that would take a while and it also involves infrastructure changes in the DC. Meanwhile the end customer is suffering is not getting their files...

Our solution was to implement this sk33760

The app transfers 2000 files give or take a few. So we went up to allowing 500 pending connections and the problem is gone. We have not observed any performance issues.

The setting applies to the whole domain and cannot be applied to a set of firewalls.

I hope this helps.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.