The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: FTP over SSL

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


FTP over SSL is specified in RFC-2228.

Firewalls do not normally pass FTP connections encrypted with SSL commonly referred to as FTP over SSL. The reason for this is simple: A firewall cannot inspect the FTP control connection because it is encrypted. VPN-1/FireWall-1 therefore cannot predict the FTP ports used by the FTP over SSL session. Some people have been able to get this to work by simply applying the fix in FTP and Newlines, assuming the ports used are the standard TCP port 21 for control and 20 for data.

Some variants of FTP over SSL operate over different ports using port 990 for control and port 989 for data. In this case, you simply need to create the following TCP services:

  • ftp-ssl-control: port 990
  • ftp-ssl-data: port number ">1024" (greater than 1024), source port 989

In other words, ftp-ssl-data accepts connections with a destination port of any TCP high port provided the source port is 989. The rulebase to permit access looks like the following:

SourceDestinationServiceAction
ftp-client ftp-server ftp-ssl-control accept
ftp-server ftp-client ftp-ssl-data accept

Note that in no case will FTP over SSL be supported with HIDE Network Address Translation (NAT). This is because FireWall-1 is unable to see the "control" portion of the connection and cannot "munge" the ports to work with HIDE NAT. It can be made to work with Static NAT.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.