> Did you check the box in Policy->Properties->
> Services->Enable FTP PORT Data Connections
> or add a rule to allow the data back connection.
Yes that is checked.
> Explain how you changed the FTP to the high
> port that your using. I'll assume(ack) that you
> changed the services file and restarted the FTP
> service via an 'init q'. Did you change the
> 'ftp-data 20/tcp' reference as well?
I did change /etc/services so both ftp is on higher port and ftp_data is
on higher port - 1
> Oh, and change the service type of your NEW
> service from 'FTP' to 'other'.
Done that too. Still no go.
> Checkpoint will try and keep track of this, but in v3.x and
> v4.0, you need to convince the software(via INSPEC) to
> track the new control and data ports. This is in addition to
> creating the new FTP service on the higher ports, which
> you should have done already.
I have CP 4.1 SP3
>
> Phoneboy has a writeup, but I found it hard to read the
> first time through(many moons ago). Take a peek at his FAQ at
> http://www.phoneboy.com/fw1/faq/0158.html.
They don't have thing for 4.1. Tried fpr 4.0 solution with 4.1 but
didn't work.
> If your still having troubles, send along the lines in your
> rulebase about FTP, what the new service is defined as,
> what policy properties are selected, and the log references
> showing any FTP drops/rejects.
I tried as TCP/FTP service with high port, didn't work. I did set up as
"Other" set up tcp, dport=high_port
The drop is when server sends on high_port-1 to the client.
Clearly FW doesn't know it is FTP connection trying to work here.
I did escalate this with CheckPoint already and waiting for them to see
where the problem is.
Thanks for help.
Regards,
Iztok
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
