Last week we experienced a problem which we found to be caused by an automatic update of our Checkpoint VPN-1 Edge X's firmware.
It was factory-loaded as: Firmware Version 4.5.39x Hardware Type SBox-200 Hardware Version 1.0 Installed Product VPN-1 Edge X (Unlimited nodes)
One morning we received the news that all our remote employees were no longer able to connect to a propriatary 3rd party Voxco-server at the office.
After some packet sniffing in a recreated environment we found that this software simply failed at transferring data by passive FTP to the Voxco-server.
The firewall-rules seemed correct and unaltered.
When we tried to connect from an identical 'remote' client-laptop to our own ftp-servers (IIS and FreeBSD) both passive and active connections worked without a problem. Only connecting (passv) to that specific server failed.
Now the tricky bit : using the same Voxco-client software from within the LAN posed no problem. So it was not just a problem with that service !
After quite a bit of systematic troubleshooting, we noticed that the firmware of our Checkpoint VPN-1 Edge X had been automatically upgraded to a 5-series firmware.
We did a factory-reset, recreated the exact same firewall rules: and the problem was gone.
Just to be sure we recreated the problem by upgrading it once more. And the problem re-appeared.
Conclusion: as soon as we upgrade our device to the latest firmware, it blocks some (not all) passive FTP-connections, eventhough we set up correct forwarding rules.
-- jorain