- Products
- Learn
- Local User Groups
- Partners
-
More
It's Here!
CPX 360 2021 Content
Check Point Harmony
Highest Level of Security for Remote Users
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
Advanced Protection for
Small and Medium Business
Secure Endpoints from
the Sunburst Attack
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Since moving to R80.20 we've had an issue with the "ftp" service. As a stop gap we used "ftp-protocol-signature" and match for any which is now causing issues as a great number of ports are now sporadically identified as such (80, 53, 443, etc). I am now trying to get back to the port based ftp service and having issues. To troubleshoot I have an "ftp" rule followed by an "ftp-protocol-signature" rule.
The initial ftp connection on port 21 matches on the "ftp" service rule, however, upon negotiation of the data port it falls through to the second "ftp-protocol-signature" rule around line 8:
No. | Time | Source | Destination | Protocol | Length | Info |
1 | 0 | 192.139.152.XXX | 216.8.153.YYY | TCP | 62 | 55479 > 21 [SYN] Seq=0 Win=32768 Len=0 MSS=1460 WS=1 |
2 | 0.034743 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 55479 > 21 [ACK] Seq=1 Ack=1 Win=32768 Len=0 |
3 | 0.050639 | 192.139.152.XXX | 216.8.153.YYY | FTP | 60 | Request: SYST |
4 | 0.066276 | 192.139.152.XXX | 216.8.153.YYY | FTP | 72 | Request: USER ********* |
5 | 0.08137 | 192.139.152.XXX | 216.8.153.YYY | FTP | 69 | Request: PASS ********** |
6 | 0.154162 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 55479 > 21 [ACK] Seq=40 Ack=235 Win=32768 Len=0 |
7 | 0.168541 | 192.139.152.XXX | 216.8.153.YYY | FTP | 60 | Request: PASV |
8 | 0.184125 | 192.139.152.XXX | 216.8.153.YYY | TCP | 62 | 55486 > 63690 [SYN] Seq=0 Win=32768 Len=0 MSS=1460 WS=1 |
9 | 0.198893 | 192.139.152.XXX | 216.8.153.YYY | FTP | 83 | Request: STOR FILEXXXXX |
10 | 0.214221 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 55486 > 63690 [ACK] Seq=1 Ack=1 Win=32768 Len=0 |
11 | 0.229467 | 192.139.152.XXX | 216.8.153.YYY | TCP | 1406 | 55486 > 63690 [ACK] Seq=1 Ack=1 Win=32768 Len=1352 |
12 | 0.229566 | 192.139.152.XXX | 216.8.153.YYY | TCP | 1406 | 55486 > 63690 [ACK] Seq=1353 Ack=1 Win=32768 Len=1352 |
13 | 0.22961 | 192.139.152.XXX | 216.8.153.YYY | TCP | 764 | 55486 > 63690 [PSH, ACK] Seq=2705 Ack=1 Win=32768 Len=710 |
14 | 0.229614 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 55486 > 63690 [FIN, ACK] Seq=3415 Ack=1 Win=32768 Len=0 |
15 | 0.245719 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 55486 > 63690 [ACK] Seq=3416 Ack=2 Win=32768 Len=0 |
16 | 0.245726 | 192.139.152.XXX | 216.8.153.YYY | FTP | 59 | Request: PWD |
17 | 0.260447 | 192.139.152.XXX | 216.8.153.YYY | FTP | 83 | Request: RNFR FILEXXXXX |
18 | 0.275011 | 192.139.152.XXX | 216.8.153.YYY | FTP | 86 | Request: RNTO FILEYYYYY |
19 | 0.30613 | 192.139.152.XXX | 216.8.153.YYY | FTP | 60 | Request: QUIT |
20 | 0.3216 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 55479 > 21 [FIN, ACK] Seq=147 Ack=449 Win=32768 Len=0 |
21 | 0.321714 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 55479 > 21 [ACK] Seq=148 Ack=450 Win=32768 Len=0 |
22 | 1.576145 | 192.139.152.XXX | 216.8.153.YYY | TCP | 66 | 21 > 63691 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 |
23 | 1.590468 | 192.139.152.XXX | 216.8.153.YYY | FTP | 81 | Response: 220 Microsoft FTP Service |
24 | 1.605046 | 192.139.152.XXX | 216.8.153.YYY | FTP | 77 | Response: 331 Password required |
25 | 1.620133 | 192.139.152.XXX | 216.8.153.YYY | FTP | 1088 | Response: 230-WARNING: |
26 | 1.62016 | 192.139.152.XXX | 216.8.153.YYY | FTP | 75 | Response: 230 User logged in. |
27 | 1.634786 | 192.139.152.XXX | 216.8.153.YYY | FTP | 74 | Response: 200 Type set to I. |
28 | 1.648881 | 192.139.152.XXX | 216.8.153.YYY | FTP | 70 | Response: 215 Windows_NT |
29 | 1.663016 | 192.139.152.XXX | 216.8.153.YYY | FTP | 88 | Response: 211-Extended features supported: |
30 | 1.663093 | 192.139.152.XXX | 216.8.153.YYY | FTP | 72 | Response: LANG EN* |
31 | 1.663115 | 192.139.152.XXX | 216.8.153.YYY | FTP | 107 | Response: AUTH TLS;TLS-C;SSL;TLS-P; |
32 | 1.663132 | 192.139.152.XXX | 216.8.153.YYY | FTP | 61 | Response: HOST |
33 | 1.663153 | 192.139.152.XXX | 216.8.153.YYY | FTP | 91 | Response: SIZE |
34 | 1.677245 | 192.139.152.XXX | 216.8.153.YYY | FTP | 112 | Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON. |
35 | 1.712574 | 192.139.152.XXX | 216.8.153.YYY | FTP | 83 | Response: 250 CWD command successful. |
36 | 1.729417 | 192.139.152.XXX | 216.8.153.YYY | FTP | 103 | Response: 550 The system cannot find the file specified. |
37 | 1.74992 | 192.139.152.XXX | 216.8.153.YYY | FTP | 107 | Response: 227 Entering Passive Mode (192,139,152,XXX,237,68). |
38 | 1.764894 | 192.139.152.XXX | 216.8.153.YYY | TCP | 66 | 60740 > 24973 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 |
39 | 1.788989 | 192.139.152.XXX | 216.8.153.YYY | FTP | 108 | Response: 125 Data connection already open; Transfer starting. |
40 | 1.803761 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 60740 > 24973 [ACK] Seq=1 Ack=2107 Win=131072 Len=0 |
41 | 1.807151 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 60740 > 24973 [ACK] Seq=1 Ack=2108 Win=131072 Len=0 |
42 | 1.8073 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 60740 > 24973 [FIN, ACK] Seq=1 Ack=2108 Win=131072 Len=0 |
43 | 1.807392 | 192.139.152.XXX | 216.8.153.YYY | FTP | 78 | Response: 226 Transfer complete. |
44 | 1.880154 | 192.139.152.XXX | 216.8.153.YYY | FTP | 68 | Response: 221 Good-Bye |
45 | 1.880182 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 21 > 63691 [FIN, ACK] Seq=1572 Ack=160 Win=130816 Len=0 |
46 | 1.895165 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 21 > 63691 [ACK] Seq=1573 Ack=161 Win=130816 Len=0 |
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY