Thursday, March 30, 2006

Q: How do I keep the firewall's SmartDefense from dropping some of my FTP sessions?

A:
The firewall log says some of the FTP sessions are being dropped for "reason: tried to open a known service port". This is a case of the firewall trying to be just a little too clever. It's dropping any FTP sessions from an ephemeral port that happens to be defined as a service port (or part of a range of service ports) in the rulebase, on the off chance that the session is an FTP bounce attack and not part of an actual FTP session. To stop this from occurring, go to the SmartDefense tab in the management console. Navigate to leaf object "Network Security / Dynamic Ports". You can leave "Block data connections to low ports" checked, but choose the radio button for "Allow data connections to all defined services' ports". (Of course, this won't take effect until you install the policy.) This solved the problem for me. I would have thought that the SmartDefense "Application Intelligence / FTP / Prevent known ports checking" would have been the thing to check, but that is still unchecked and the FTP sessions are working.

0 Comments:

Post a Comment

<< Home