This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
thant_zin
Explorer
‎2018-09-27 08:07 PM

Error while installing FTP server behind CP 15400

Hello,

         I'm newbie and no experience but last year our organization buy CP 15400 install in front of our server zone.

Local engineer install the firewall and guide me how to manage and how to add new host(server), policy, but i'm
not very well .Last day I was installed FTP server behind the CP firewall, in that case client can accept port 21 simple FTP service but when client access the FTPs, client can't access, errors was like this (Response:425 Can't open data connection for transfer of "/" ) . So search how to solve by googling and found to open port ftp-ssl-port and ftp-ssl-data

1023,989 and 990, so follow the instruction but still error. Would you all like to fixed my error.

Best Regards,

3 Replies
PhoneBoy
Admin
Admin
‎2018-09-28 02:22 PM

If you're doing FTP over SSL: FTP over SSL traffic does not pass through Security Gateway 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-09-29 02:10 PM

In the FTP server you need to assign a portrange that you want to be used for the Data tranfsers, let's say you use 5000-5099 for that, now you that port-range to the allowed port-list in the rule allowing the FTPs and you should be all ok.

Regards, Maarten
0 Kudos
Dave
Contributor
‎2019-09-25 12:01 AM
In response to Maarten_Sjouw

Also, make sure if your FTP server is running on some flavour of Linux OS, to allow your passive ports in iptables and restart the firewall/iptables process.

I cannot stress this enough to have both processes restarted after iptables has been changed.

Witnessed this first hand, troubleshooting FTP passive mode that was working only up to the point for the initial connection to port 21 and not any further.

We saw when passive mode came into action and it was taking one of the ports from the passive ports defined in Checkpoint firewall, but when directory listing needed to complete, the connection timed.
A packet capture was taken to try and help us further in troubleshooting, this showed that when the passive port was negotiated with the FTP server a SYN was being send to the FTP server but the 3-WAY handshake never completed.
So no SYN-ACK and ACK.

Sysadmin assured the config of FTP box was solid and iptables where good, doublechecking and confirming it.
After restarting iptables - which was already configured to allow the passive ports - and restarting the firewall process ... BINGO, everything was working!

Internal Linux iptables/firewall was the culprit, still blocking the allowed passive ports because the processes where not restarted after the config change.

Hope this info is still helping anybody out there.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events