This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jonathan_Diegan
Participant
‎2018-05-25 08:25 AM

R75.47 SPLAT and FTP Issues

So before I get "upgrade please!!!" we are getting new R80.10 boxes in the next year but intill those are up i am seeing a issue with many FTP sites not finishing the handshake over the firewalls. When i connect just past the firewall on the same device it is working. Logs, FW monitor, and zdebug drop are all showing no blocks and that all trafiic is allowed. Wireshark just shows TCP retransmits due to the incomplete handshake. Anyone fight this issue before and can offer up some insight ?

3 Replies
Vladimir
Champion
Champion
‎2018-05-25 11:52 AM

If you are not seeing SynACKs from the destination (FTP servers) at all, check your NAT for the sources: if it is static and manual, you may have to define proxy ARP entries. If it is automatic and either "Hide" or "Static" in the object's properties, check the routing on the destination, if these are your servers.

Verify that your NAT settings are accurate: i.e. if you have Hide NAT for HTTP/S access to ANY, but have a manual rule with different NATed IP for FTP and that IP is wrong, the replies will get lost.

If the destination is not under your control, check tcpdump and fw monitor on external interfaces of the firewall to see if you are receiving SynACKs there.

It would also help, if you are addressing the FTP servers by name and not the IP from inside of the firewall, to check if they are being resolved to the same IPs as when you are trying it on the outside.

0 Kudos
Jonathan_Diegan
Participant
‎2018-05-25 12:31 PM

Unfortunately, testing the above yeilded the same results

0 Kudos
PhoneBoy
Admin
Admin
‎2018-05-25 08:34 PM

It would be helpful if you could post the text output of tcpdump -eni ifname while the traffic is traversing.

Verify the destination MAC shown actually matches your interface (this will verify the gateway is actually receiving the traffic).

You might also try, as a troubleshooting step, disabling SecureXL briefly (fwaccel off) and testing as well, but do this during a low traffic period.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events