This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jdbgs
Explorer
‎2021-04-29 12:59 PM

Passive FTP over TLS R80.30

Hi

I'm having real issues trying to get Passive FTP with explicit TLS working through the gateway.

The connection works fine over my broadband link but not through the Check Point.

FileZilla fails after the TLS accepts:

Status: Resolving address of ftp.adwaiseo.eu
Status: Connecting to 78.141.182.24:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Command: USER ftp_costal_erosion
Response: 331 Please specify the password.
Command: PASS ********
Error: Connection timed out after 20 seconds of inactivity
Error: Could not connect to server
Status: Waiting to retry...

There are no dropped logs in the Event monitor and no drops in the zdebug on the live gateway either. 

I have tried various FTP setups, even ANY service, but currently have 2 rules:

first rule:  ftp-pasv

second rule: port range 50000-51000 (which is the port range on the FTP server)

I can see logs for the first rule (all ACCEPT), but the logs never hit the second rule.

I assume the control packets are encrypted hence not passed by the gateway.

Any suggestions welcome.

Cheers

jD

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2021-04-29 02:52 PM

We can't do stateful enforcement of FTP over TLS traffic because it's encrypted and don't 'man in the middle' the traffic at all.
That said, if you have explicit rules allowing the explicit TCP ports used, then it should still work.
What is that second rule in more detail?
See also (possibly): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
jdbgs
Explorer
‎2021-04-30 09:59 AM
In response to PhoneBoy

Thanks for looking at this.

2nd rule is:

  SRC.                       DST.                                       SRVC.                                    ACT

LocalLans       ftp.<serverID>.com.       tcp ports 500000-510000.            ALLOW.        LOG

I've tried *ANY as the service as well as all the different FTP options. I even added the reverse rule just incase it was making a reverse connection.

Doing it from the broadband link (no firewall) the Wireshark file looks to flip the port within the 50000-51000 range after the TLS negotiation. 

I've not had an issue with PASV FTP before once the correct ports are defined.

**UPDATE:  I've added the registry edit as suggested in the SK document. Still fails. **

Cheers

John

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2021-04-30 11:58 AM
In response to jdbgs

The default 'ftp-pasv' service object has a protocol associated with it. This means it tries to enforce certain behavior in the traffic. TLS will cause that enforcement to fail, so the traffic will be dropped. You should create a whole new service object for TCP port 21, and don't specify any protocol for it.

0 Kudos
jdbgs
Explorer
‎2021-04-30 02:10 PM
In response to Bob_Zimmerman

Thanks for the response.

I've added a tcp-21 port and removed the FTP-PASV, I can still connect via the port 21, but it still fails after the TLS negotiation. 

I've sent captures to our Check Point Support company so will see what they come back with.

Cheers

John

0 Kudos
sebasnqn
Contributor
‎2023-01-03 05:59 AM
In response to jdbgs

Hello John,

           Where you able to get this working? I'm having similar issues and there is no info using tcpdump or zdebug to see if there are other ports been requested.

 

Thanks in advanced. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events