Cannot access web server using SSL

[iantaylor2100]

Hi I have set up a server in a DMZ for secure up/down loading.
Although I can see the server on HTTP and FTP I cannot use FTP SSL to connect.

I am using a nokia ip 330 and have checked both the voyager setup and the firewall rules and cannot see what the problem is.

I've tried connecting both externally and internally(LAN) to the DMZ server but still nothing.

Can someone help please?

Regards
Ian

 

[Piloria]

if you look down at the entry "FTPS on port 21" you might see a similar problem.

it depends on what port you are trying to connect FTP ssl over. it depends on the server configuration for this. if you are using port 20/21 usual ftp ports then you will need to create another service and not use the FTP service built into fw1 as this is specific to FTP and doesnt accept secure FTP.

Manage - service - new - other - (port set up on secure ftp server)

and add the rule for secure ftp

 

[iantaylor2100]

Hi Piloria.

The way the FTP ssl server seems to work is the original packet is created via port 21 then it uses 1024 or higher to transmit the rest of the packet.

I have set the rule to any to Webserver on ANY service and it doesn't work.

I've tried it from teh LAN to the DMZ and it still fails so something must be on teh firewall.

I've checked the rules and the Nokia Voyager software and nothing.

Does checkpoint need the service defined before it will work?

Regards
Ian

 

[Piloria]

if any service is set then it should work. but with checkpoint you can never tell.

are you getting any information from the logs on the firewall detailing the connection and if anything is rejected or accepted?

 

[rn4it]

1 thing I have found out with CP is that for service Any doesn't alway mean any. To verify if the service is part of the any service view the advanced properties of the service and see if the match for any option is checked off.

Are you NATing properly? try doing a tcpdump -i <dmz interface> host <ipaddress of ftp> this will let you see if your requests are making it to the server.

 

[Piloria]

after rn41ts comment i would recomend that you create a service for sftp and include it in the any on the port that your server is set to receive on.

 

[iantaylor2100]

Thank you all for your help.
I have sinced found out that CP FW-1 4.1 SP6 doesn't know anything about FTPS and therefore drops all packets as it thinks it is a hacked FTP packet.

I'm having to upgrade to NG FP3 for this to work.

Thanks again
Ian

 

[Piloria]

before doing that look back at my first entry. you need to create a new service for FTPS and use TCP and create for your ftps port number (probably same as ftp port number) but dont set the advanced tab to ftp as this is waht is stopping your connection.

 

[rn4it]

Just a word of warning in regards to FP3, There are a number of bugs. The current Hot fix Accumulator is HFA_312, don't use HFA_310 or HFA_311 if you have to stop at HFA_309. Also there's a known issue re: more then 4 IP's on an interface which was resolved in HFA_310, but I haven't tested this yet.

good luck.