https://live.paloaltonetworks.com/t5/general-topics/ftp-question/m-p/6229#M4544 <HTML><HEAD></HEAD><BODY><P>I have a new rule for this testing configured as follows:</P><P>Source Zone: Untrust<BR />Source Address: Any<BR />Source User: Any</P><P>Destination Zone: Trust<BR />Destination Address: My FTP's Nat Address<BR /><BR />Application: Any<BR />Service(s): <BR />-Custom FTP(port 31)<BR />-Custom FTPS(port 990)<BR />-Custom SFTP(port 32)<BR />Service-HTTP<BR />Service-HTTPS</P><P>Profiles: Only blocking for Virus' and Spyware.&nbsp; Everything else open.<BR />Sessions sent at END only.</P><P>I have a production Microsoft FTP server on the same server as the WING.&nbsp; The MS FTP is only listening on port 21, hence the custom ports of 31/32.&nbsp; The MS FTP works fine from both outside and inside the LAN.</P><P>There is a test Outbound rule for this server but I have never seen it used yet.</P><P>[See attached screenshot.]</P></BODY></HTML> Tue, 27 Sep 2011 17:05:12 GMT migration 2011-09-27T17:05:12Z https://live.paloaltonetworks.com/t5/general-topics/ftp-question/m-p/6227#M4542 <HTML><HEAD></HEAD><BODY><P>Greetings,</P><P></P><P>I am trialing a WING FTP server here at the office.&nbsp; FTP and HTTPS work fine to the server from a FileZilla client.&nbsp; I have an SSL certificate loaded onto the server for FTPS/HTTPS.&nbsp; When I try to connect to the server via FTPS (port 990), the client connects but gets stuch at listing the directory contents.&nbsp; The FileZilla client hangs at the command : MLSD.&nbsp; Eventually, it times out.</P><P>I confirmed that FTPS works on my LAN so I am focusing on the firewall.&nbsp; I do not see any Threat attempts that may have been dropped except for a few previous attempts at an SSH&nbsp; (SFTP) connection I tried.</P><P>Any thoughts?</P><P>P.S.&gt; an SSH connection works to this server from the outside,as well.&nbsp; So it looks like the only issue is with FTP over SSL.</P><P>Thanks, Mike</P></BODY></HTML> Mon, 26 Sep 2011 19:36:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ftp-question/m-p/6227#M4542 migration 2011-09-26T19:36:20Z https://live.paloaltonetworks.com/t5/general-topics/ftp-question/m-p/6228#M4543 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P></P><P>May I know how you apply your policy for SSH traffic to your server? Have you tried to allow SSH traffic to and from your SFTP server?</P><P></P><P>Regards,</P><P></P><P>Jones</P></BODY></HTML> Tue, 27 Sep 2011 16:22:25 GMT https://live.paloaltonetworks.com/t5/general-topics/ftp-question/m-p/6228#M4543 jleung 2011-09-27T16:22:25Z https://live.paloaltonetworks.com/t5/general-topics/ftp-question/m-p/6229#M4544 <HTML><HEAD></HEAD><BODY><P>I have a new rule for this testing configured as follows:</P><P>Source Zone: Untrust<BR />Source Address: Any<BR />Source User: Any</P><P>Destination Zone: Trust<BR />Destination Address: My FTP's Nat Address<BR /><BR />Application: Any<BR />Service(s): <BR />-Custom FTP(port 31)<BR />-Custom FTPS(port 990)<BR />-Custom SFTP(port 32)<BR />Service-HTTP<BR />Service-HTTPS</P><P>Profiles: Only blocking for Virus' and Spyware.&nbsp; Everything else open.<BR />Sessions sent at END only.</P><P>I have a production Microsoft FTP server on the same server as the WING.&nbsp; The MS FTP is only listening on port 21, hence the custom ports of 31/32.&nbsp; The MS FTP works fine from both outside and inside the LAN.</P><P>There is a test Outbound rule for this server but I have never seen it used yet.</P><P>[See attached screenshot.]</P></BODY></HTML> Tue, 27 Sep 2011 17:05:12 GMT https://live.paloaltonetworks.com/t5/general-topics/ftp-question/m-p/6229#M4544 migration 2011-09-27T17:05:12Z https://live.paloaltonetworks.com/t5/general-topics/ftp-question/m-p/6230#M4545 <HTML><HEAD></HEAD><BODY><P>@mwaters31:</P><P></P><P>are you seeing any drops in the traffic logs?</P><P></P><P>if not and since you are not seeing the traffic match your security rule I am going to assume that the implicit deny rule is dropping your traffic. This would mean that some of the parameters of the traffic do not conform with the security policy. I suggest performing a packet capture from the ftp client and server to determine where your security policy is not matching the actual traffic.</P><P></P><P>-Benjamin</P></BODY></HTML> Wed, 09 Nov 2011 08:23:27 GMT https://live.paloaltonetworks.com/t5/general-topics/ftp-question/m-p/6230#M4545 bpappas 2011-11-09T08:23:27Z https://live.paloaltonetworks.com/t5/general-topics/ftp-question/m-p/6231#M4546 <HTML><HEAD></HEAD><BODY><P>It actually ended up being a problem with the configuration of their server.&nbsp; It works fine now.&nbsp; Thanks for checking in.</P><P>Mike</P></BODY></HTML> Wed, 09 Nov 2011 15:54:55 GMT https://live.paloaltonetworks.com/t5/general-topics/ftp-question/m-p/6231#M4546 migration 2011-11-09T15:54:55Z