Create a Post
Showing results for 
Search instead for 
Did you mean: 

Migration from Cisco ASA to Checkpoint - FTP/NAS issue


We recently migrate from Cisco ASA cluster to a new Checkpoint cluster.

The configuration has been converted by the Checkpoint migration tool.

Now we are facing few strange problem

Server1 to Server2 NAS flow KO

Server3 to Server4 FTP flow KO


From the log I can see that the Gateway block the FTP flow that use the high-port.

This is strange because there isn't a rule on ASA that allow the high-port from S1 to S2.

More or less is the same for the NAS: the Gateway block certain port related the NAS protocol but there is no rule on ASA.

It could be that on ASA we have to allow only the main port like ftp port and not the high port related the same flow as per implicit allow but the CP require and explicit rule for that?

All post-migration problem are related a flow that start with a specific port and continue with other port like FTP


0 Kudos
1 Reply


It could be that FTP is related to passive / active mode ;

please check the traffic and adjust as needed .

- You can find the file : CiscoNameToNumber.csv - it will map ftp service to port 21.

- CP_KnownTcpPorts.csv will map port 21 to Check Point FTP service.

There is no NAS service with SmartMove - which port are you referring to ?

I also cannot find it with Iana :


Did you had any errors ,warnings with the file ? you can view it form the results html file.



You can ping me offline :  

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events