FTP Bounce 227 = 22_ means SmartDefence not so Smart

A quick update to my post about using Python to test FTP. I am indebted to Kevin for his comment on that post saying that he found the issue was related to the FTP Bounce protection in Checkpoint SmartDefence product.

Kevin jogged my memory to say that our Network Security team did find that the change made to the firewall that broke my FTP service was the enabling of the FTP Bounce protection. Having looked up what FTP Bounce is, it does indeed seem like something that should be protected against but clearly there seems to be a problem with the SmartDefence inplementation of it. At present FTP Bounce protection is turned off and my FTP service has been fine since.

I haven’t quite got the bottom of how SmartDefence ends up corrupting ports with a 4th quad of 227 but it appears to related to the fact that 227 is the status message for an FTP server entering passive mode.

This is all way beyond my area of expertise so I will leave it at that, other than to say if you get strange FTP behaviour check out if you are protecting against FTP Bounce with SmartDefence.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s