-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sean Donaghey <[EMAIL PROTECTED]> wrote:
>
> I am not trying to connect to splat with FTPS, I am trying to do
> outbound FTPS to an internet site, from a computer behind my firewall.
> It seems that the firewall is blocking certain things about the FTPS.
I think that when you say "FTPS" people think you are referring to
"SFTP".
SFTP = file transfer using SSH plugin
FTPS = FTP protocol over SSL
I think you are referring to the latter.
> I have gone through SmartDefense and turned off everything that has to
> do with FTP, but it has not fixed it.
It sounds like the FTPS is occurring over port 21. Checkpoint will
assume it is non-SSL (unencrypted) FTP and will attempt to follow the
protocol negotiations. Since the connection is encrypted, this will
fail, and the connection gets dropped as a result.
You can disable FTP protocol following, by editing the Advanced
properties of the FTP object. Usually the Protocol Type field is set to
"FTP" or "FTP_BASIC". You can set it to "None" which will disable any
attempt to follow FTP traffic.
Of course, if you also have normal FTP traffic attempting to flow
through your firewall to other sites, this will break it.
You might instead consider creating a new "ftp-ssl" object which has no
Protocol Type defined but uses port 21. You must unset the "Match for
Any" attribute in order for it to coexist with the other ftp object.
Then, you would want to make sure you explicitly use this ftp-ssl object
in the rule allowing the FTPS out.
You may still run into trouble because the FTP protocol usually does not
work (at least in PORT mode) without the firewall taking part in the
negotiations. You may be able to get it working in PASV mode though.
Good luck!
- --
David DeSimone == Network Admin == [EMAIL PROTECTED]
"It took me fifteen years to discover that I had no
talent for writing, but I couldn't give it up because
by that time I was too famous. -- Robert Benchley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFGjTxAFSrKRjX5eCoRAnauAJ9Ws4eyh1kCketbJiullZePHQgJ5wCghJ0C
FS2yNxt9t6tX8OvXB4rVgsw=
=M+Nx
-----END PGP SIGNATURE-----
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
