I had this FTP Bounce problem with SSL FTP and here is what corrected it: These are happening due to the New FTP enforcement that prevents telnet escape characters inside the FTP control session (binary 0xff).
Solution To turn off telnet characters detection modify $FWDIR/lib/base.def on the Management Server. Procedure: 1) cpstop 2) Make a backup copy of the file and edit $FWDIR/lib/base.def. 3) Modify: #define FTP_CHECK_ARGS (FTP_NO_CLIENT_227 | FTP_NO_TELNET_OPTIONS) To: #define FTP_CHECK_ARGS (FTP_NO_CLIENT_227) 6) cpstart 5) Install policy -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Raymond N Sent: Wednesday, March 23, 2005 6:48 PM To: [email protected] Subject: Re: [FW-1] SSL over FTP Hmm, what you explained makes sense. What version of NG AI are you using? In my version (NG AI R55 hotfix 12), there is checkbox (SmartDefence - AI - FTP) for "FTP Bounce", and the only sub-configuration item is the 'track' option (e.g. log, alert, snmp trap, etc.). I don't see if there is options for "watch only". Shall I just 'unckcik' FTP bounce? Is this a bad thing to do from the security point of view? BTW, how come the log message said 'TELNET options bounce' instead of 'FTP Bounce'??? Thanks. -raymond n At 06:39 PM 3/22/05 -0800, cisco4ng wrote: >What it means is that checkpoint tried to read the content inside the >ftp session; however, >since the content is "encrypted" via SSL and checkpoint does not know >or how to decrypt it, >it will think that this is an "attack" attempt. If you go into smartdefense and under the ftp, go >into FTP bounce, and select "monitor only", your ftp over SSL will >work. > >cisco4ng > >Raymond N <[EMAIL PROTECTED]> wrote: >I am using NG AI R55 Hotfix-12 on Nokia platform. >One of my users tries to do SSL over FTP with an external ftp server >over the Internet. The connection failed even at the control session >(i.e. no login prompt). Looking at the firewall log, the rule I have >for outbound ftp shows the traffic is allowed, but at the "Information" >column, it has a message about "Attack info: The packet was modified >due to a potential TELNET OPTIONS Bounce attack". > >Can anyone tell me what this is? Again, the firewall log shows the >traffic is 'permit', but the ftp control session is still failed. > >Thanks in advance for any info. > >-raymond > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= > > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
