Create a Post
Showing results for 
Search instead for 
Did you mean: 

Passive FTP over TLS R80.30


I'm having real issues trying to get Passive FTP with explicit TLS working through the gateway.

The connection works fine over my broadband link but not through the Check Point.

FileZilla fails after the TLS accepts:

Status: Resolving address of
Status: Connecting to
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Command: USER ftp_costal_erosion
Response: 331 Please specify the password.
Command: PASS ********
Error: Connection timed out after 20 seconds of inactivity
Error: Could not connect to server
Status: Waiting to retry...

There are no dropped logs in the Event monitor and no drops in the zdebug on the live gateway either. 

I have tried various FTP setups, even ANY service, but currently have 2 rules:

first rule:  ftp-pasv

second rule: port range 50000-51000 (which is the port range on the FTP server)

I can see logs for the first rule (all ACCEPT), but the logs never hit the second rule.

I assume the control packets are encrypted hence not passed by the gateway.

Any suggestions welcome.




0 Kudos
5 Replies

We can't do stateful enforcement of FTP over TLS traffic because it's encrypted and don't 'man in the middle' the traffic at all.
That said, if you have explicit rules allowing the explicit TCP ports used, then it should still work.
What is that second rule in more detail?
See also (possibly): 

0 Kudos

Thanks for looking at this.

2nd rule is:

  SRC.                       DST.                                       SRVC.                                    ACT

LocalLans       ftp.<serverID>.com.       tcp ports 500000-510000.            ALLOW.        LOG

I've tried *ANY as the service as well as all the different FTP options. I even added the reverse rule just incase it was making a reverse connection.

Doing it from the broadband link (no firewall) the Wireshark file looks to flip the port within the 50000-51000 range after the TLS negotiation. 

I've not had an issue with PASV FTP before once the correct ports are defined.

**UPDATE:  I've added the registry edit as suggested in the SK document. Still fails. **



0 Kudos

The default 'ftp-pasv' service object has a protocol associated with it. This means it tries to enforce certain behavior in the traffic. TLS will cause that enforcement to fail, so the traffic will be dropped. You should create a whole new service object for TCP port 21, and don't specify any protocol for it.

0 Kudos

Thanks for the response.

I've added a tcp-21 port and removed the FTP-PASV, I can still connect via the port 21, but it still fails after the TLS negotiation. 

I've sent captures to our Check Point Support company so will see what they come back with.



0 Kudos

Hello John,

           Where you able to get this working? I'm having similar issues and there is no info using tcpdump or zdebug to see if there are other ports been requested.


Thanks in advanced. 

0 Kudos