Support Center > Search Results > SecureKnowledge Details
FTP connection to specific servers fails through the firewall
Symptoms
  • FTP connection to specific servers fails through the Security Gateway.
Cause

There are a number of reasons why FTP connections to specific server sites fail.

Below are the symptoms:

  1. When certain size or types of data message comes back from the FTP server, the Security Gateway closes the FTP connections.
  2. When the Maximum Segment Size required by certain FTP sites is greater than the default "512", a reset is sent from the FTP server to the FTP client and the connection fails. One of the FTP sites where this is seen is ftp.pc.com

After applying the changes suggested in this article, test them by trying to FTP to ftp.cisco.com and to ftp.hp.com. If you are successful with Cisco, but not with HP, then try the suggestions outlined in sk41490 (How do I allow FTP on ports other than port 20 and 21?).


Solution

Use a lower security enforcement, designed for optimal connectivity, which does not demand "newline" characters. (This enforcement also does not check port commands for bounce attacks and dynamic ports.) Define and use a new service, for example "ftp-new", using the protocol type FTP_BASIC in the following way.

  1. Open the Services window ('Manage > Services') in SmartDashboard.

  2. Double-click "TCP Services".

  3. Create a new TCP service. Call it "ftp-new", for example.

  4. In the "Port" field, configure the port to "21" (FTP standard port).

  5. Click the "Advanced" tab, and set protocol type to FTP_BASIC.

    Note: In R80.x, clone the ftp service and set the protocol.

  6. Clear the box "match for any".

  7. Use the service in the relevant rules, and install the Security Policy.

If these steps do not work, perform one of the following steps based on the version of Security Gateway that you are using.

 

Refer to sk95147 (Modifying definitions of packet inspection on Security Gateway for different protocols - 'base.def' file).

 

NGX R60 and Above

The $FWDIR/lib/ftp.def file contains the following instructions:

// If you do not want the FW-1 module to insist on a newline at the end of the

// PORT command, change the following '1' to '0' and re-install the policy

#define FTPPORT_NL 1

To apply this change, do the following from the SmartCenter Server:

  • Issue cpstop from the command line, stopping all services on SmartCenter.

  • Edit the $FWDIR/lib/ftp.def file and change FTPPORT_NL 1 to FTPPORT_NL 0

  • Issue cpstart from the command line, starting all services.

  • Reinstall the Security Policy.

 

NG AI R54 and R55

Modify the following line in $FWDIR/lib/base.def on the management station (This will not affect FireWall-1 NG FP3 and earlier versions.):

// #define FTP_CHECK_PACKET

Should be changed to the following:

#define FTP_CHECK_PACKET

Reinstall the security policy. This enforcement recognizes the suspicious FTP packets and modifies them to be harmless instead of dropping them, and records a proper log message.

Additional Note: VSFTP server may require to use both the predefined service "FTP" and a custom service FTP service with the protocol type "FTP-BASIC"

When a reset is seen from the FTP server to FTP client

To resolve this issue, increase the Maximum Segment Size (MSS). Instructions can be found in sk41199.

Imported from Nokia support database
This solution is about products that are no longer supported and it will not be updated
Applies To:
  • VSFTP
  • FTP Servers

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment