Can someone help explain to me how FTP works through a Checkpoint firewall? Specifically in this case, how Active mode FTP works given the following scenario:
Single FW rule that allows my internal systems to access internet servers over default FTP service/protocol. No other rules exist for this.
It is my understanding that in Active mode FTP, the process is (at a high level)
1) The client first initiates traffic from a random source port to tcp/21 on the FTP to issue CONTROL commands. This traffic is bound and allowed via the rule defined above.
2) Over this control session, the client issues a POST command informing the server what local port the client will be listening on for the DATA traffic. This is usually a random port.
3) The FTP server then initiates a NEW session from local source port tcp/20 to the destination port established by the client in step #2. Data proceeds to transfer over this session.
Here is where I get lost. I have validated at the client via a packet capture, this process occurring, but I don't understand how the Checkpoint is 1) allowing this traffic to pass given I have no rules in place to specifically allow this new session/traffic, and 2) the client has no external NAT.
In my packet capture I see the server set up the session as listed above, but the Checkpoint firewall does not even log this traffic in my logs. The only traffic I see is the tcp/21 control traffic. I can only assume something is happening under the covers to allow this. Do all firewalls do this or is this special to certain ones like Checkpoint?