I ran into a problem today where a user was having trouble accessing a remote FTP site through a Check Point firewall. After recreating the problem at my desk and further reviewing with tcpdump, I found that the initial 3-way handshake would complete, the first line of the 220 welcome message would come back from the FTP server, and then the firewall would issue a reset to both sides of the connection. In SmartView Tracker, I saw a correlating message: “Port command ended without a new line.”
This issue has to do with Check Point’s default FTP inspections. The firewall reads the FTP conversation as it flys by, and will drop packets for anything it perceives as unusual or malicious behavior. Sometimes, FTP servers will falsely trip Check Point’s FTP inspection engine, causing legitimate FTP traffic to be dropped.
Not an uncommon issue, Check Point provides a workaround in article sk26049 (Check Point login presumably required). In short, Check Point explains how to disable the inspection (along with a couple of other FTP inspections) that is causing the false positive.
Before doing something that will make your firewall LESS secure (which is exactly what this does), use your head. Is this a smart thing to do in your environment? This workaround is a global change. I could not find a way to do a host-specific change, and I did try several tactics.