https://live.paloaltonetworks.com/t5/general-topics/how-to-correctly-decrypt-ftp-over-tls-traffic/m-p/523048#M108341 <P>Hi,</P> <P>I am facing the common issue of Passive FTP (over TLS). Basically, the connection fails due to the dynamic ports assigned in the encrypted channel. It is clear that the solution is to configure PA to decrypt the traffic to identify the dynamic port and PA automatically (and temporarily) will open the traffic for that port.</P> <P>But unfortunately, I could not find detailed instructions for the implementation.</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEjCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEjCAK</A></P> <P>&nbsp;</P> <P>I created a decryption rule for my only user with ANY in the service (see attachment) and the problem gets solved, but I didn't feel comfortable with the ANY so I tried filtering by FTP ports. I created a service called FTP Test with TCP 20 and 21 ports.</P> <P>Doing this, the traffic did not match, didn't get decrypted and the FTPs connection failed to list the directory.</P> <P>&nbsp;</P> <P>could you please help me out with the correct configuration?</P> <P>&nbsp;</P> <P>Many thanks.</P> <P>&nbsp;</P><BR /><BR />Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended. Thu, 01 Dec 2022 15:56:44 GMT JoseCortijo 2022-12-01T15:56:44Z https://live.paloaltonetworks.com/t5/general-topics/how-to-correctly-decrypt-ftp-over-tls-traffic/m-p/523048#M108341 <P>Hi,</P> <P>I am facing the common issue of Passive FTP (over TLS). Basically, the connection fails due to the dynamic ports assigned in the encrypted channel. It is clear that the solution is to configure PA to decrypt the traffic to identify the dynamic port and PA automatically (and temporarily) will open the traffic for that port.</P> <P>But unfortunately, I could not find detailed instructions for the implementation.</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEjCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEjCAK</A></P> <P>&nbsp;</P> <P>I created a decryption rule for my only user with ANY in the service (see attachment) and the problem gets solved, but I didn't feel comfortable with the ANY so I tried filtering by FTP ports. I created a service called FTP Test with TCP 20 and 21 ports.</P> <P>Doing this, the traffic did not match, didn't get decrypted and the FTPs connection failed to list the directory.</P> <P>&nbsp;</P> <P>could you please help me out with the correct configuration?</P> <P>&nbsp;</P> <P>Many thanks.</P> <P>&nbsp;</P><BR /><BR />Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended. Thu, 01 Dec 2022 15:56:44 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-correctly-decrypt-ftp-over-tls-traffic/m-p/523048#M108341 JoseCortijo 2022-12-01T15:56:44Z https://live.paloaltonetworks.com/t5/general-topics/how-to-correctly-decrypt-ftp-over-tls-traffic/m-p/523184#M108362 <P>Hello,</P> <P>You would need to select the port/service that the traffic is being seen as prior to decryption. Best practice would be to decrypt all traffic and have exceptions to bypass encryption.</P> <P>&nbsp;</P> <P>Hope this helps.</P> Fri, 02 Dec 2022 21:07:23 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-correctly-decrypt-ftp-over-tls-traffic/m-p/523184#M108362 OtakarKlier 2022-12-02T21:07:23Z