With a Firewall-1 release 4 (may be next generation), our internal clients are able to do an ftp active mode connection to some external ftp hosts, and with others the connections do not work.
A sniffer and the Firewall-1 security log both pretty clearly show that for the hosts that do not work, Firewall-1 sees the incoming ftp-data connection as not being part of the outgoing ftp connection, and it rejects the incoming ftp-data with the default firewall rule.
Both the connections that work and the ones that fail invoke the *identical* line number of the firewall security rules, so it is not a rule issue.
I checked the system policy properties, and we do enable both active and passive ftp with checkboxes.
Can someone explain why active ftp would work to some external hosts, but not others?