- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: AWS, GWLB vs. FTP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AWS, GWLB vs. FTP
Hi,
Recently I set up an environment in AWS for a customer, utilizing the cloudformation templates available at:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
I did the top one, autoscaling group, conmmfigured for gateway loadbalancers.
Everything is working fine, except a FTP connection. The FTP is doing a couple (data and controll) of connections, and the first one goes over one of the firewalls, but then the other connection moves over to the other firewall...and we are unable to get the connection up.
Have anyone else had this issue, and is there some workaround - both "dirty" and proper ? 🙂
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got word back from TAC on this, and it is verified to be an design limitation - it will not work on this setup. So pretty much the only option is to have it changed to SCP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Curious why FTP and not scp/sftp.
Is it active mode FTP or passive?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is some legacy stuff, we have migrated tons of services and this FTP stuff is something that will be gone within the year/ next year - so they have decided on not working on changing it..its towards a 3rd party, and will trigger to much work. At least, that's what have been decided 🙂
Passive FTP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FTP in particular communicates an IP address and port as part of the command, even in Passive mode.
I suspect this is not getting translated somewhere along the way, which will definitely cause FTP to fail.
scp/sftp is definitely much simpler in this regard since it's a single TCP connection.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got word back from TAC on this, and it is verified to be an design limitation - it will not work on this setup. So pretty much the only option is to have it changed to SCP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just create another rule for return traffic 😉
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well, not very elegant, isn't it?
I see a trouble here as companies also moving legacy stuff in the cloud too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
unrelated to FTP issue, does healtcheck (tcp/8117) is successful for your gateways? Not sure what I did wrong, but on my side it is "unhealthy", however it seems working fine.
EC2 -> Load Balancing -> Target Groups -> "Targets" tab
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We have the same issue. Our setup is very similar, 4 Gateways in an ASG sitting behind a GWLB. This behaviour is due to the fact that the firewalls do not share session details, we confirmed by looking at our on-prem devices that are setup in HA pairs.
Our first instinct was to ask the App team to move off FTP, but they said that would take a while and it also involves infrastructure changes in the DC. Meanwhile the end customer is suffering is not getting their files...
Our solution was to implement this sk33760
The app transfers 2000 files give or take a few. So we went up to allowing 500 pending connections and the problem is gone. We have not observed any performance issues.
The setting applies to the whole domain and cannot be applied to a set of firewalls.
I hope this helps.