This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Diego_dg
Contributor
2 weeks ago

FTP data session with destination NAT silently dropped when acceleration is enabled on the gateway

Hi! I have an strange issue: previosly working FTP sessions have stopped working on our R81.10 firewall. FTP control session on port 21 is established but the data session is not established when acceleration is enabled. If I disable acceleration (fwaccel off), then the ftp data session is established without any issue. Only FTP flows with destination NAT have this issue: FTPs to the same ftp server but without destination NAT doesn't have this issue.

I am aware of the several types of FTP services available, I have tried using all the relevant types one by one (including ftp-pasv) but to no avail.

No drop is seen on the logs and neither with "fw ctl zdebug drop".

I have not found any change on the audit logs that could give a hint about what have caused this change on the behaviour of the firewall, maybe it is the ftp server the one that has been modified but I have no way to confirm that. I have rebooted the devices just in case but it didn't fix the issue.

Labels
0 Kudos
9 Replies
PhoneBoy
Admin
Admin
2 weeks ago

If "fwaccel off" solves an issue, then TAC has to be involved: https://help.checkpoint.com
Did you upgrade to a JHF recently? (Version/JHF info is useful)

0 Kudos
Diego_dg
Contributor
2 weeks ago
In response to PhoneBoy

Hi, this is R81.10 with JHF 83, it was installed almost one year ago, we have involved TAC.

0 Kudos
Timothy_Hall
Champion Champion
Champion
2 weeks ago

Agree with PhoneBoy TAC should be involved, in the meantime as a workaround you can force the problematic FTP traffic F2F/slowpath and avoid any acceleration with the procedure detailed here: sk104468: How to exclude traffic from SecureXL

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Diego_dg
Contributor
2 weeks ago
In response to Timothy_Hall

Hi, I already tried sk104468, adding all the involved IPs to the f2f_addresses section but to no avail... I will recheck it again because I still see the connections on the fwaccel conns table after configuring it.

I have found that some changes on the QoS blade were performed the day the issue started and have seen that they could be some issues with acceleration if QoS policy was created for R77. This is R81.10 JHF 83 but I am sure this policy has been running since R77 and upgraded to the current R81.10... I will try to disable QoS and check if the issue is still there. We have involved TAC. 

"If you have a QoS policy created for R77 and earlier, you will have to disable QoS acceleration to use other..."

0 Kudos
Diego_dg
Contributor
2 weeks ago
In response to Diego_dg

We disabled the QoS blade and the issue disappeared. We are talking with TAC about it.

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to Diego_dg

That definitely sounds like a bug 🙂

0 Kudos
Lesley
Advisor
2 weeks ago
In response to Diego_dg

Sorry no ideas any more no much experience with QoS. TAC is indeed good step. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Lesley
Advisor
2 weeks ago

This is a longshot, only reason I paste it here it is very specific to SecureXL and FTP:

https://support.checkpoint.com/results/sk/sk168952

Also FTP without encryption? So no FTPS? What Jumbo take? No NAT or VPN in the connection?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Diego_dg
Contributor
2 weeks ago
In response to Lesley

Yes, this is FTP without encryption with not FTPS, they are running R81.10 JHF 83, there is no VPNs on this FW but there is NAT, in fact, we only have this issue when there is NAT on the FTP flow.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 30 Apr 2024 @ 08:00 AM (CDT)

    Central US: What's New in R82?
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 10:00 AM (CEST)

    CheckMates Live BeLux: How Can Check Point AI Copilot Assist You?
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Tue 30 Apr 2024 @ 08:00 AM (CDT)

    Central US: What's New in R82?
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 10:00 AM (CEST)

    CheckMates Live BeLux: How Can Check Point AI Copilot Assist You?
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    CheckMates Events