[ddiggler]

I currently went through a swap of a CheckPoint 4.1 FW running on Windows NT 4.0 (this was before my time...don't shot me :)..). We replaced it with 2 SecurePlatform NGX R61 enforcement modules with HA.

We have a multi-DMZ segment design with multiple inbound (IIS;DNS;SMTP..etc) and outbound (SMTP;HTML;DNS..etc) connections. Since there is no direct upgrade from 4.1 to NGX, I had to recreate all the rules and such. Everything when flawlessly except for 2 SSL over FTP connections. We have two client computers on our DMZ that does an outbound connection to a customer. These systems are using static NAT's and work perfectly with the 4.1 FW-1. For the life of me I could not get this connection to work through NGX R61. I would see the outbound connection on 21 then an inbound connection from the customer on >1023 but the log entry for the >1023 connection back in from the customer was an alert from SmartDefense..I didn't see any real drops. Just for the sake of testing I put rules in to allow all services to and from the client and our customer with the same outcome.

What am I missing here?

(I apologize for the lack of details. I was up until 3:00AM last night trying to get this for work. I ended up having to put the old 4.1 FW-1 back into production. I will give you more details when I set this up in the lab. I have to get this to work before the second attempt.)