topic Re: ftps/ftpes in General Topics

ftps/ftpes

kjh — Wed, 12 Sep 2012 01:32:25 GMT

How can I allow an FTPS (FTPES) connection? I assume the PA tracks an FTP connection and understands the related data connection. Does it understand FTPS? If I set a policy for ftp, it fails when it tries to open a data connection.

Kim

Re: ftps/ftpes

sdurga — Wed, 12 Sep 2012 02:00:04 GMT

Hi Kim,

In order to allow ftps or ftpes we need to do ssl decryptioin. We identify the FTPS control connection as SSL.Since it FTPS is over SSL we donot have any visibility into application and we identify it as SSL connection. If we allow only SSL in our security than we will allow only control connection for the FTPS but not the data connection.

The control session will work fine by just allowing the ssl application but the actual data session (the file transfer) will not work because Paloalto will block that file transfer as that transfer takes on a different set of ports rather than the port 990 that is used for FTPS control connection. So for you to get the FTPS working you will have to do SSL decryption.

I have attached a doc about SSL decryption which I found in the discussions and its really good. Please have a look at it

Thanks,

Sandeep T

Re: ftps/ftpes

steve.chupack — Thu, 23 May 2013 21:50:00 GMT

I believe this is working in 5.0.4 without decryption. I have a single policy that permits the ftp and ssl applications to my IIS7 FTP server.

At first I thought I'd made a mistake, so I checked the following:

1) Is the ftp server allowing unencrypted traffic? Tested: No (it will not accept regular FTP connections)

2) Is my policy erroneously allowing ALL traffic? Tested: No

3) Is only the control channel encrypted and data is unencrypted? I wiresharked my traffic while transferring an ASCII file, and the data stream definitely looks encrypted. That and IIS is configured to encrypt both.

Can anyone confirm that recent firmware does indeed "understand" the FTPS protocol when you specify both ftp and ssl as permitted applications?

Re: ftps/ftpes

Sly_Cooper — Wed, 20 Jan 2016 00:37:17 GMT

I just faced the ftps issue and was searching the community articles. For me the problem was not resolved by adding SSL. The data connection did not work. The app was using range of high ports which I ended up allowing as service and solved the issue. I did not attempt ssl decryption since I had to fix it ASAP :).

Re: ftps/ftpes

reaper — Wed, 20 Jan 2016 08:45:31 GMT

you'll need to enable ssl decryption as those high ports are negotiated in the initial ftp (control) connection. only by looking inside the encrypted session can the firewall determine which ports will be used for the data session and will a predict session be created to properly handle the high port session

hope this helps

Tom

Re: ftps/ftpes

JonHoSee — Tue, 14 Jul 2020 01:27:41 GMT

Hi, what about when the inbound traffic is explicit FTPS where the control channel is over port 21 and data is high ranged ports as SSL.

In our case port 21 is being seen as FTP app-id and the high-ranged ports are seen as SSL. We need a way to detect this and restrict regular FTP. Any suggestions? TIA...