If an FTP data connection tries to use a port number that has been defined as a service (known service port) in the objects file, an error: "Tried to open TCP service port:" may be displayed in the log viewer. The FTP session will fail and the connection will be dropped on rule 0. This is likely to happen on systems where a large number of high port services have been defined.

To fix the problem you need to:

Backup the $FWDIR/lib/base.def
Edit the $FWDIR/lib/base.def on the management server and make the following two changes:

1. Edit the lines:
define KNOWN_SERVER_TCP_PORT(p) {
(not is_version_at_least(FP2_VER), KNOWN_SERVER_TCP_PORT_BC(p))
or
(is_version_at_least(FP2_VER), call KFUNC_KNOWN_SERVER_PORT<p, PROTO_tcp>)
};

Change them to:
/* INSPECT modification - sk11922 */
define KNOWN_SERVER_TCP_PORT(p) {0};
/* End of INSPECT modification */

2. Edit the lines:
define NOTSERVER_TCP_PORT(p) {
(not is_version_at_least(FP2_VER), NOTSERVER_TCP_PORT_BC(p))
or
(is_version_at_least(FP2_VER), call KFUNC_NOTSERVER_PORT<p, PROTO_tcp>)
};

Change them to:
/* INSPECT modification - sk11922 */
define NOTSERVER_TCP_PORT(p) {not SMALL_PORT(p)};
/* End of INSPECT modification */

NOTE: Changes to .def files will be overwritten when upgrading to a new feature pack.

Provider-1 NG / SmartCentre NG

Not sure how backward compatibility works this change so if the above fix doesn't work and you are using Backward Compatibility, it might be like this for the base.def in 4.1 BC directory ($FWDIR41/lib/base.def)

// ports which are dangerous to connect to
define NOTSERVER_TCP_PORT(p) {
(not
(
( p in tcp_services, set sr10 RCODE_TCP_SERV, set sr11 0,
set sr12 p, set sr1 0, log bad_conn)
or
( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr12 p,
set sr1 0, log bad_conn)
)
)
};

You change it so it reads:

// ports which are dangerous to connect to
define NOTSERVER_TCP_PORT(p) {
(not
( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr12 p,
set sr1 0, log bad_conn)
)
};