IBM Support

Cannot navigate through Checkpoint Firewall-1 using SSL and Clear Command Channel. (SCI28182)

Troubleshooting


Problem

Cannot navigate through Checkpoint Firewall-1 using SSL and Clear Command Channel. (SCI28182)

Symptom

Cannot navigate through Checkpoint Firewall-1 using SSL and Clear Command Channel.
FTP return packet of a connection is blockedError in the log viewerError: "packet was blocked because it <violated unidirectional connection>"

Cause

FireWall-1 marked a connection in the connections table as unidirectionalT

Resolving The Problem

The following information was found on checkpoints FAQ pages:


Upgrade to FireWall-1 4.0 SP8 or VPN-1/FireWall-1 4.1 SP2
After installation is complete in order to allow FTP connection to be bidirectional, a new service of type "other" (possible name bi_ftp) should be defined with the following fields:

prologue :

#define FTP_PORT_RESTR

match:
tcp, dport=21, record <conn;x> in ftp_restrictions

(where x should be 5 in the case of command line FTP, 6 in the case of passive FTP, or 7 for both)

After that, place the new service in the relevant FTP rules and install the policy.

This will allow FTP connections accepted by this service to use bi-directional data connections.

[{"Product":{"code":"SSFVK3","label":"IBM Sterling Connect:Enterprise for UNIX"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Historical Number

PRI6236

Product Synonym

[<p><b>]Fact[</b><p>];CONNECT:Enterprise UNIX;Release 1.3.00 [<br/>] SCI28182

Document Information

Modified date:
17 December 2019

UID

swg21544420

Page Feedback