Reconfiguring CheckPoint VPN-1 to allow FTPS connections

Posted

I recently tried using FTPS (SSL-encrypted FTP) and noticed that it didn’t work, immediately after “AUTH TLS” command the connection was disconnected. That happened independently of the server I tried to connect to and the server wasn’t aware of any disconnect. I am posting the solution here since more people might be affected by this.

Turned out my router wasn’t responsible. When I looked at the issue with a network sniffer, I saw a TCP RST packet immediately after first SSL handshake packet — and that one was received with less than 0.1 ms delay which is too little even for the router. And since apparently some program on my computer was responsible, CheckPoint VPN-1 was my first guess, I already made the experience that this VPN client is overly protective and messes around with all connections made by the computer even when it isn’t active.

That’s what I found: FTP verifications performed by VPN-1. So the problem is that FTPS starts as a regular FTP connection and only starts using SSL afterward. And since at that point the client is sending binary data, “each FTP command terminates with a new-line character” verification fails of course.

The instructions in the support article were useless for me because I didn’t have the source files on my computer. However, the resulting file SecuRemote\state\userc.fc is still a text file and can be changed to ignore FTP connections. You look for the line “% function: NN ftp_code 0” (where NN is some number) and insert the following line after that:

94000000	return

That’s it. Restart CheckPoint services and VPN-1 should no longer bother your FTP connections.

Categories:

Comments

  1. Mircea

    Oh, so great you shared this! I wouldn’t figure this out in months…

  2. Jose

    This works really good. (Preferable option)
    Thanks for sharing this good information
    As an alternative to test it I tried dissabling Secure Client and uncheck it from my Nic card and it works fine.

Commenting has expired for this article.

← Older Newer →