Violated unidirectional connection with FTP

[renato_rj]

Hello, could someone explain me what this log is for ?
My firewall is NGX R 65 and I see this in my log events.

Number: 1061270
Date: 5Nov2007
Time: 15:22:11
Product: VPN-1 Power/UTM
Interface: eth4
Origin: xxxxxxxx
Type: Log
Action: Drop
Protocol: tcp
Service: ftp-data (20)
Source: xxxxxxxxxxxxxxxxxxx
Destination: xxxxxxxxxxxxxxxxxxx
Source Port: 40902
Information: message_info: Violated unidirectional connection
SmartDefense Profile: Monitor_Only
Policy Info: xxxxxxxxxxxxxxxxxxx
Created at: Tue Oct 30 19:19:46 2007
xxxxxxxxxxxxxxxxxxx

Thanks in advance.

Regards,

Renato_rj.

[melipla]

Its a smart defense monitor log entry, there should be additional columns called "Attack" and "Attack Information" which should give you more detail [at least my R65 does].

As a fun side note, I did a search on your error and look what I found from Ray!

Quote:

Date: Mon, 29 Mar 2004 18:58:51 -0500 using NG AI R55 HFA02.

Fixed. In Policy/Global Properties/Stateful Inspection, we had to check
"Accept stateful UDP replies for unknown services."

Ray

[renato_rj]

Quote:

Originally Posted by melipla

Its a smart defense monitor log entry, there should be additional columns called "Attack" and "Attack Information" which should give you more detail [at least my R65 does].

As a fun side note, I did a search on your error and look what I found from Ray!

Melipa, thanks for your help... But, FTP isn´t UDP packet, I don´t belive this solution is for me... The field "Attack" and "Attack information" return nothing...
My SmartDefense is disable, I don´t install SmartDefense in my gateway, but the problem continue...

Thanks for your help....

Regards,

Renato....

[melipla]

Quote:

Originally Posted by renato_rj

Melipa, thanks for your help... But, FTP isn´t UDP packet, I don´t belive this solution is for me...

Some of the traffic which Ray saw the error for was TCP based. Why changing that UDP option affected it, I cannot say. Do you have this option selected? If so then we already know its not a solution for you.

This snippet explains it better then I would, and gives you instructions to work around it, for NG at least:

Quote:

6.22: SmartView Tracker Log Error: Rule 0: Reason:
Violated Unidirectional Connection
FireWall-1 can mark a connection in the connections table to allow traffic to pass in one direction only. This can either be a connection that started from the inside, in which case FireWall-1 would mark the table to read that only outbound packets are allowed, or it can be a connection that originated from the outside, in which case FireWall-1 would mark the table to read that only inbound packets are allowed. This means that data can pass in only one direction (ACK packets as part of normal TCP are acceptable). When a packet violates a unidirectional connection, Check Point logs an entry into SmartView Tracker/ Log Viewer.

UDP services have an option to set a service to accept replies. In a sense, that is unidirectional. Unidirectional TCP connections occur with FTP. Some programs that use FTP do so in a nonstandard way that requires all the connections used by the FTP connection to be bidirectional. To allow for bidirectional FTP connections in FireWall-1 NG, perform the following steps.

You can read the rest at:
http://searchsecurity.techtarget.com...Point-Ch06.pdf

[renato_rj]

Melipa, thanks again !!!

I´ll read this pdf and some result I´ll post here....


Regards,

Renato_rj.

[renato_rj]

Melipla, it seems that decided the problem...

I create a protocol called ftp_basic and apply in the rule... Works fine !!

Regards,

Renato_rj.