Troubleshooting
Problem
Cannot navigate through Checkpoint Firewall-1 using SSL and Clear Command Channel. (SCI28182)
Symptom
Cannot navigate through Checkpoint Firewall-1 using SSL and Clear Command
Channel.
FTP return packet of a connection is blockedError in the log
viewerError: "packet was blocked because it <violated unidirectional
connection>"
Cause
FireWall-1 marked a connection in the connections table as unidirectionalT
Resolving The Problem
The following information was found on checkpoints FAQ
pages:
Upgrade to FireWall-1 4.0 SP8 or VPN-1/FireWall-1 4.1
SP2
After installation is complete in order to allow FTP connection to be
bidirectional, a new service of type "other" (possible name bi_ftp) should be
defined with the following fields:
prologue :
#define
FTP_PORT_RESTR
match:
tcp, dport=21, record <conn;x> in
ftp_restrictions
(where x should be 5 in the case of command line FTP,
6 in the case of passive FTP, or 7 for both)
After that, place the new
service in the relevant FTP rules and install the policy.
This will
allow FTP connections accepted by this service to use bi-directional data
connections.
Historical Number
PRI6236
Product Synonym
[<p><b>]Fact[</b><p>];CONNECT:Enterprise UNIX;Release 1.3.00 [<br/>] SCI28182
Was this topic helpful?
Document Information
Modified date:
17 December 2019
UID
swg21544420