This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Horne
Advisor
‎2020-04-02 02:48 AM
Jump to solution

FTP on non-standard port (sk43597)

Hello,

I am looking at how to support FTP on a non-standard port. I found a related SK,but it does not mention and version in the R80 version.

Does anyone have experience with FTP on non-standard ports in R80. Do we still need to apply all the steps in this SK? I would like to avoid having to open up high ports for the FTP data connection.  This SK specific mentions having to manually update files on each Security Gateway to configure the Security Gateway to listen to FTP connections on the desired port 

FTP.pngMany thanks,

Michael

 

0 Kudos
3 Solutions

Accepted Solutions
RickHoppe
Advisor
‎2020-04-02 06:41 AM
Jump to solution

I would start with creating a new TCP service, select FTP protocol and specify a custom port.

2020-04-02_15-38-46.png

My blog: https://checkpoint.engineer

View solution in original post

Timothy_Hall
MVP Gold
MVP Gold
‎2020-04-02 06:50 AM
Jump to solution

I'm pretty sure you don't need to update fwauthd.conf unless you are doing some kind of legacy User/Session/Client authentication for FTP.  However an FTP service on a non-standard port needs to be set up correctly so the firewall can properly sniff PORT commands and pinhole open the necessary data ports.  This is why FTP control connections (port 21) always go F2F (but the data connections can be accelerated by SecureXL). What you should be able to do is clone the existing FTP service, then edit the name and port number like this:

ftp_999.jpg

Use this new service explicitly in your Network rules and you should be good to go.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

PhoneBoy
Admin
Admin
‎2020-04-02 05:28 PM
Jump to solution

These instructions involve the FTP Security Server which, unless you still have rules with Action: User Auth in your rulebase, is completely irrelevant.
Create a service as Rick Hoppe suggests.

View solution in original post

5 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-04-02 05:40 AM
Jump to solution

 This sk only shows how to handle this situation using an added Service in Dashboard and a new line in $FWDIR/conf/fwauthd.conf file. Not so hard to try and may work in R80.xx, too.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
RickHoppe
Advisor
‎2020-04-02 06:41 AM
Jump to solution

I would start with creating a new TCP service, select FTP protocol and specify a custom port.

2020-04-02_15-38-46.png

My blog: https://checkpoint.engineer
Timothy_Hall
MVP Gold
MVP Gold
‎2020-04-02 06:50 AM
Jump to solution

I'm pretty sure you don't need to update fwauthd.conf unless you are doing some kind of legacy User/Session/Client authentication for FTP.  However an FTP service on a non-standard port needs to be set up correctly so the firewall can properly sniff PORT commands and pinhole open the necessary data ports.  This is why FTP control connections (port 21) always go F2F (but the data connections can be accelerated by SecureXL). What you should be able to do is clone the existing FTP service, then edit the name and port number like this:

ftp_999.jpg

Use this new service explicitly in your Network rules and you should be good to go.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
PhoneBoy
Admin
Admin
‎2020-04-02 05:28 PM
Jump to solution

These instructions involve the FTP Security Server which, unless you still have rules with Action: User Auth in your rulebase, is completely irrelevant.
Create a service as Rick Hoppe suggests.
Michael_Horne
Advisor
‎2020-04-06 12:13 AM
Jump to solution

Hello All,

 

It would appear that you would only need to create the custom FTP service. I added a feedback comment to the SK and Checkpoint have come back to say that this SK is not relevant to R80.x. I take this to meant that nothing extra needs to be done beyond the customer service.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events