This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
vinceneil666
Advisor
‎2023-01-21 02:32 AM
Jump to solution

AWS, GWLB vs. FTP

Hi,

Recently I set up an environment in AWS for a customer, utilizing the cloudformation templates available at:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I did the top one, autoscaling group, conmmfigured for gateway loadbalancers.

Everything is working fine, except a  FTP connection. The FTP is doing a couple (data and controll) of connections, and the first one goes over one of the firewalls, but then the other connection moves over to the other firewall...and we are unable to get the connection up.

Have anyone else had this issue, and is there some workaround - both "dirty" and proper ? 🙂

0 Kudos
1 Solution

Accepted Solutions
vinceneil666
Advisor
‎2023-01-27 12:17 AM
Jump to solution

I got word back from TAC on this, and it is verified to be an design limitation - it will not work on this setup. So pretty much the only option is to have it changed to SCP.

View solution in original post

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2023-01-21 08:13 AM
Jump to solution

Curious why FTP and not scp/sftp.
Is it active mode FTP or passive?

0 Kudos
vinceneil666
Advisor
‎2023-01-26 04:59 AM
In response to PhoneBoy
Jump to solution

This is some legacy stuff, we have migrated tons of services and this FTP stuff is something that will be gone within the year/ next year - so they have decided on not working on changing it..its towards a 3rd party, and will trigger to much work. At least, that's what have been decided 🙂 

Passive FTP

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-27 09:59 AM
In response to vinceneil666
Jump to solution

FTP in particular communicates an IP address and port as part of the command, even in Passive mode.
I suspect this is not getting translated somewhere along the way, which will definitely cause FTP to fail.
scp/sftp is definitely much simpler in this regard since it's a single TCP connection.

0 Kudos
vinceneil666
Advisor
‎2023-01-27 12:17 AM
Jump to solution

I got word back from TAC on this, and it is verified to be an design limitation - it will not work on this setup. So pretty much the only option is to have it changed to SCP.

0 Kudos
Machine_Head
Advisor
Advisor
‎2023-01-27 02:25 AM
In response to vinceneil666
Jump to solution

Just create another rule for return traffic 😉

0 Kudos
abihsot__
Advisor
‎2023-01-31 07:37 AM
In response to Machine_Head
Jump to solution

well, not very elegant, isn't it?

I see a trouble here as companies also moving legacy stuff in the cloud too. 

0 Kudos
abihsot__
Advisor
‎2023-01-31 07:41 AM
Jump to solution

unrelated to FTP issue, does healtcheck (tcp/8117) is successful for your gateways? Not sure what I did wrong, but on my side it is "unhealthy", however it seems working fine.

EC2 -> Load Balancing -> Target Groups -> "Targets" tab

0 Kudos
Jihed
Explorer
‎2023-02-01 06:23 AM
Jump to solution

Hello,

We have the same issue. Our setup is very similar, 4 Gateways in an ASG sitting behind a GWLB. This behaviour is due to the fact that the firewalls do not share session details, we confirmed by looking at our on-prem devices that are setup in HA pairs.

Our first instinct was to ask the App team to move off FTP, but they said that would take a while and it also involves infrastructure changes in the DC. Meanwhile the end customer is suffering is not getting their files...

Our solution was to implement this sk33760

The app transfers 2000 files give or take a few. So we went up to allowing 500 pending connections and the problem is gone. We have not observed any performance issues.

The setting applies to the whole domain and cannot be applied to a set of firewalls.

I hope this helps.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events