Wednesday, August 6, 2014

Checkpoint Firewall FTP issues - 'quote password' or Account command ('ACCT')

I usually post stuff about Cisco, but recently I got exposure to Checkpoint so I am adding Checkpoint to my library. I am currently working on a 3 part series on "how-to" install virtual Checkpoint Firewalls on a Linux KVM hypervisor. A quick search on Google reveals 0 posts related to this, so mine might be the first "how-to" on this topic. Stay tuned for more Checkpoint related posts in the near future.

Here is my first post on Checkpoint regarding the FTP issue "Wrong username or password". I will try to keep it short!!  

Trying to FTP from command prompt on a windows machine.

 Command line ftp:  
 ftp ###.###.###.###  
 Connected to ###.###.###.### (###.###.###.###).  
 220 Check Point FireWall-1 Secure FTP server running on XXXXXX  
 Name (###.###.###.###:XXXXX): usernamejoe  
 331 password: you can use password@password  
 Password:  
 200 password: you can use 'quote password' or Account command ('ACCT')  
 ftp> pass  
 Passive mode off.  
 ftp> ls  
 421-Access denied - wrong user name or password   
 421 aborted  

At first glance it might look like the user typed in the password incorrectly, however CheckPoint Firewall is actually the culprit.

Screenshot from Checkpoint SmartLog.

SmartLog
In order to fix this, we have to create a new rule allowing the FTP traffic with a custom service in Check Point.
  • Log into SmartDashboard. 
  • Open the policy to edit. 
  • Add the rule with the custom service -- screenshots below. 
  • Assign a source 
  • Assign a destination
  • Create a custom service
  • Assign a name
  • Assign the port
  • Click Advanced 
  • Set protocol type to be "FTP_BASIC" << This is the key!!

You might get a warning that says "The port is already used by another service". Click yes here in this dialog box.

Once you push out the policy and install it on your firewall you should no longer get this error message.

Many more articles to come so ....

Please subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.