Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Herschel_Liang
Collaborator

Question about sk171375

Recently, I'm facing an issue like sk171375 symptom. I'm just curious that the sk explains the cause "This causes an issue where the Security Gateway chooses an incorrect protocol handler to deal with the Passive mode FTP connection:".

What is the order of it? How to select priority when the CP rule configures multiple services on the same port? Or is it dynamic allocation? What is it according to?

0 Kudos
6 Replies
the_rock
Champion
Champion

I know in the old days of CP (pre R80), this was ALWAYS fixed by one simple trick...change protocol type to "none" in service properties. In R80 and above, that does not exist, its bene replaced with "no item selected". Does it do same thing, I really cant say, as I never had a need to use it, but worth a try. You can create custom service with same port number and try.

0 Kudos
Herschel_Liang
Collaborator

Maybe something misunderstands. In my case, we configure it as sk171375 previously.

微信截图_20220816074813.png

My question is "how to select which service will be hit when traffic goes through?". Because we configure it as a screenshot for a long time and it works fine. But we face rejecting alerts from last morning. After changing to the sk171375 solution, it works again. But it is a question left, why did it work previously, no change on that rule. How to select which service will be hit when traffic goes through? I'm just curious and just trying to figure out how it works

0 Kudos
the_rock
Champion
Champion

Do you have screenshots of the drops/alerts? If I were you, I would open TAC case to get an official response, but my educated guess is they would most likely tell you to follow the sk and since you said that worked, then there would probably nothing else to try.

0 Kudos
Herschel_Liang
Collaborator

Yes, I have open a TAC case, but it seems that no too depth responce about my question.

===================================================================================================

"Multiple configured FTP services in the same rule allow the connections to the FTP server. This causes an issue where the Security Gateway chooses an incorrect protocol handler to deal with the Passive mode FTP connection". It might work before if the ftp or ftp-pasv service handler was chosen, but you can't control that which service will be chosen by the firewall if you have multiple services with the same tcp port defined.

0 Kudos
_Val_
Admin
Admin

Why would not you use just one FTP service in the rule? The answer from TAC is suggesting just that.

0 Kudos
the_rock
Champion
Champion

I agree with @_Val_ , what he says makes sense. Just out of curiosity, was there a good reason in the past as to WHY you were using all those other services? Because, at the end of the day, it would use port 21 regardless. Yes, it is true that data connection would start with port 20 initiated by the server, but then whatever is initiated by the client would come on port 21, so sk seems pretty logical.

0 Kudos