[runcmd]

A user of ours needs to transmit a file to a vendor on a regular basis and the vendor has requested the use of SFTP through the application "WS_FTP". Initially, the vendor indicated that only TCP port 115 would need to be opened outbound through our firewall, which we granted; however, the transfer is failing. The WS_FTP log indicates "425 Can't open data connection". When I watched the attempt in SmartView Tracker, I see traffic being passed on 115, but dropped on ports 1663, 1664, and 1665 at the same time as the failures. The vendor now says, "By-the-way, you also need to open ports 1025 through 65000."

I'm assuming that SFTP is attempting to operate similarly to a Passive FTP connection and is trying to establish a data connection on a higher port. I know that CheckPoint is intelligent enough to make the switch to higher ports when negotiating an FTP connection. Questions:

1. Is SFTP truly trying to negotiate to a higher port?
2. Is there a way around this, other than opening up the range 1025 through 65000?

Thanks!

(NG R55)