I had to deal with this one a few months ago. The answer is in the Ipswitch
Knowledge Base (http://support.ipswitch.com/kb/FS-20001102-DM01.htm) but is
misleading. Check Point's Service Pack 3 does NOT fix this problem. And,
if you install Service Pack 4 after you have installed this workaround, you
must reinstall the workaround.
******** Knowledge Base **************
Question/Problem: Why do I have problems connecting to WS_FTP Server from
behind a Checkpoint Firewall?
Answer/Solution: Checkpoint FireWall-1 expects FTP port commands to be
followed with \r\n.
Following is a response from Checkpoint regarding this problem:
Service Pack 3 will fix this bug.
There is also a workaround on our (Checkpoint) Secure Knowledge Database.
Solution: FTP to specific servers fails (10043.0.7772541.2711982)
Edit the $FWDIR/lib/base.def file to allow FTP headers without "\r\n":
1. Stop FireWall-1 (fwstop)
2. Edit the /$FWDIR/lib/base.def
3. Mark out the following line:
#define FTP_ENFORCE_NL
to:
//#define FTP_ENFORCE_NL
4. Start FireWall-1 (fwstart)
5. Re-install the policy
For more information please contact the firewall vendor.
******** Knowledge Base **************
Good Luck!
Jim
-----Original Message-----
From: Sub Net [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 10, 2001 10:16 AM
To: [EMAIL PROTECTED]
Subject: Re: [WS_FTP Forum] WS_FTP Server w/SSL
I am not 100% sure whether it is doing command filtering or not. The
CheckPoint FW-1 product uses stateful packet inspection not proxy style
command filtering. If you or anyone is familiar with the exact setup on
this firewall to get SSL working please let me know.
Thanks,
Tim
>From: "Jason H." <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: <[EMAIL PROTECTED]>
>Subject: Re: [WS_FTP Forum] WS_FTP Server w/SSL
>Date: Sun, 9 Sep 2001 12:37:14 -0400
>
>Tim,
>
>Is the Firewall doing command filtering? If so you need to turn command
>filtering off. When WS_FTP attempts to negotiate the connection it issues
>the AUTH SSL command. If the firewall does not understand this command it
>will then reject it. You will need to completely disable the command
>filtering, because once the AUTH SSL portion gets through and the SSL
>connection is negotiated everything will then be encrypted and the firewall
>will begin rejecting the connection again due to the fact it cannot decrypt
>the information coming through.
>
>
>----- Original Message -----
>From: Sub Net <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Saturday, September 08, 2001 3:33 PM
>Subject: [WS_FTP Forum] WS_FTP Server w/SSL
>
>
> > Has anyone been able to get SSL to work with CheckPoint's FW-1 firewall?
>If
> > so, any details would be greatly appreciated. The FTP server works
>great
> > without SSL, but WS_FTP Pro ver7 hangs when trying to negotiate an SSL
> > session through the firewall. This problem does not occur if a connect
>SSL
> > inside the firewall.
> >
> > Thanks,
> > Tim
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at
>http://explorer.msn.com/intl.asp
> >
> >
> > Please visit http://www.ipswitch.com/support/mailing-lists.html to be
>removed from this list.
>
>
>Please visit http://www.ipswitch.com/support/mailing-lists.html to be
>removed from this list.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Please visit http://www.ipswitch.com/support/mailing-lists.html to be
removed from this list.
Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from
this list.
