Re: Checkpoint Firewall denying Explicit SSL

["bart knippenberg" <bartknippenberg () gmail com>]

Hello Rob,

Maybe this can help:

Solution ID: sk20837

Product: VPN-1 Pro (VPN-1/FW-1)
Version: NG AI
Last Modified: 08-Aug-2006
Solution
FireWall-1 allows data in FTP data connections to flow only in one
direction. This will cause connectivity problems for FTP
implementations that transfer data in both directions, for example an
FTP implementation that uses SSL for data connections ( requires an
exchange of encryption parameters).

To allow bi-directional flow of data in FTP data connections, use
service "ftp-bidir" instead of "ftp" in all relevant rules. Install
policy after changing the rules to make the change effective.

Maybe you can try to make your own service and play around with the
different FTP options?

Best regards

Bart Knippenberg


2007/12/7, Rob Thompson <my.security.lists () gmail com>:
> Hello list,
>
> I hope that this is an okay place to post this thread.  I am really
> not sure where else to go and I feel it'll be more productive than
> trying to call Checkpoint.
>
> I am running into a problem where I have a Checkpoint firewall that I
> am being blocked by.  (It's our firewall that's doing the blocking...
> Funny huh?)
>
> I am attempting to connect to an Explicit SSL FTP server.  (Why
> explicit???  Beats me, not nearly as secure as Implicit SSL.)
>
> When I connect, the initial connection occurs fine and I am receiving
> the initial response from the server that I am connecting to.  The
> problem is the data connect is not being allowed out of my network.
>
> I have done a little bit of research on this and found that there is a
> bug with Checkpoint firewalls and SSL via FTP.  I was referred to
> "Checkpoint support article sk9930" by a site that I Blackled.
>
> Here's the problem, I can't find this article.  I tried to locate it
> via Checkpoints site and either this article is too old and is no
> longer posted or...well I can never really find anything through that
> company...  Their site is, IMO, a true cluster....  Blackle/Yahoo - is
> coming up with nothing.
>
> Newho - is there anyone out there that has or can point me to a site
> that has article SK9930?  I really would like to be able to help fix
> this problem without having to call Checkpoint out here to fix a known
> bad problem in their device.  Not to mention the hassle of trying to
> even deal with them.
>
> I'm sorry that this e-mail is so vague, I included what I think is
> pertinent.  If you need further information, I will do my best to
> provide what I can.
>
> Thank you in advance for any help that can be provided...
>
> --
> Rob