Security Basics mailing list archives
Re: Checkpoint Firewall denying Explicit SSL
From: "bart knippenberg" <bartknippenberg () gmail com>
Date: Sat, 8 Dec 2007 15:25:16 +0100
Hello Rob, Maybe this can help: Solution ID: sk20837 Product: VPN-1 Pro (VPN-1/FW-1) Version: NG AI Last Modified: 08-Aug-2006 Solution FireWall-1 allows data in FTP data connections to flow only in one direction. This will cause connectivity problems for FTP implementations that transfer data in both directions, for example an FTP implementation that uses SSL for data connections ( requires an exchange of encryption parameters). To allow bi-directional flow of data in FTP data connections, use service "ftp-bidir" instead of "ftp" in all relevant rules. Install policy after changing the rules to make the change effective. Maybe you can try to make your own service and play around with the different FTP options? Best regards Bart Knippenberg 2007/12/7, Rob Thompson <my.security.lists () gmail com>:
Hello list, I hope that this is an okay place to post this thread. I am really not sure where else to go and I feel it'll be more productive than trying to call Checkpoint. I am running into a problem where I have a Checkpoint firewall that I am being blocked by. (It's our firewall that's doing the blocking... Funny huh?) I am attempting to connect to an Explicit SSL FTP server. (Why explicit??? Beats me, not nearly as secure as Implicit SSL.) When I connect, the initial connection occurs fine and I am receiving the initial response from the server that I am connecting to. The problem is the data connect is not being allowed out of my network. I have done a little bit of research on this and found that there is a bug with Checkpoint firewalls and SSL via FTP. I was referred to "Checkpoint support article sk9930" by a site that I Blackled. Here's the problem, I can't find this article. I tried to locate it via Checkpoints site and either this article is too old and is no longer posted or...well I can never really find anything through that company... Their site is, IMO, a true cluster.... Blackle/Yahoo - is coming up with nothing. Newho - is there anyone out there that has or can point me to a site that has article SK9930? I really would like to be able to help fix this problem without having to call Checkpoint out here to fix a known bad problem in their device. Not to mention the hassle of trying to even deal with them. I'm sorry that this e-mail is so vague, I included what I think is pertinent. If you need further information, I will do my best to provide what I can. Thank you in advance for any help that can be provided... -- Rob
Current thread:
- Checkpoint Firewall denying Explicit SSL Rob Thompson (Dec 07)
- RE: Checkpoint Firewall denying Explicit SSL TVB NOC (Dec 07)
- Re: Checkpoint Firewall denying Explicit SSL Rob Thompson (Dec 07)
- RE: Checkpoint Firewall denying Explicit SSL TVB NOC (Dec 07)
- Re: Checkpoint Firewall denying Explicit SSL Rob Thompson (Dec 10)
- Re: Checkpoint Firewall denying Explicit SSL Rob Thompson (Dec 07)
- RE: Checkpoint Firewall denying Explicit SSL TVB NOC (Dec 07)
- Re: Checkpoint Firewall denying Explicit SSL ChrisSerafin (Dec 07)
- Re: Checkpoint Firewall denying Explicit SSL bart knippenberg (Dec 08)