topic ftp server in General Topics

ftp server

franck.lichnowski — Thu, 12 Apr 2012 09:32:57 GMT

Hello,

I can't make active ftp working.

My ftp server is internal server (IP is public).

My policy accept ftp application on default ftp application in inboud (Internert -> ftp server).

How to make active session works ? Passive works fine.

Thanks.

Franck.

Re: ftp server

zarina — Mon, 16 Apr 2012 23:06:12 GMT

Franck,

Please open a case with Support so that we can review your config and troubleshoot further.

Thanks,

Sri

Re: ftp server

dieter_b — Wed, 18 Apr 2012 10:54:38 GMT

Do you have a corresponding NAT rule for that incoming traffic ?

Re: ftp server

ppatel — Sun, 22 Apr 2012 00:59:04 GMT

Hi Frank,

As said before, please confirm if there is appropriate NAT rule configured for FTP.

Similar to the following should be the security rule:-

Security Rule :-FTP-rule-Inbound

Source Zone:- untrust (Outside zone)

Destination Zone:- trust (inside zone)

Source Address:- any

Destination Address:-64,123,23,20 (Public Ip of FTP Sever)

Application: FTP

Action:- Allow

ATTACHMENT:- FTP-rule.PNG

For incoming connection, what we call Destination NAT should be applied:-
It should look something like the following:-

NAT Rule:- FTP-inbound

Source Zone : Untrust (Outside zone)

Desination Zone:- Untrust (Outside zone)

Source Address: Any

Destination Address:64,123,23,20 (Public Ip of FTP Sever)

Source Translation: None

Destination Translation:- 192.168.10.10 (Internal Ip of FTP Server)
ATTACHMENT:- NAT-inbound.PNG

Regards,

Parth

Re: ftp server

franck.lichnowski — Mon, 23 Apr 2012 08:05:31 GMT

Hi Parth,

thanks for the reply.
NAT is not active. All my IP are publics, no internal private IP.

My rules is like this :

Security Rule : ftp-in
Source Zone:- untrust (Outside zone)
Source Address:- any
Destination Zone:- DR-LAN (inside zone)
Destination Address: 194.57.xxx.xxx (Public Ip of FTP Sever)
Application: FTP (application default)
Action:- Allow

With this only passive connexion works. Active not. I don't know why.
I 'am on PANoS 4.0.10

I log all connexions, I never see any connexion in active : my server from port 20 to client (1024 - 65535).

With my old networks infrastructure (extreme networks) active works fine, so my server's configuration is fine.

May be it's because I let application ftp (service) with default ports (21) ?? May be I must set service on "any" ?

Regards.

Re: ftp server

mikand — Mon, 23 Apr 2012 08:12:20 GMT

You should still see the blocked flows in your traffic log.

Make sure that you in the end of your security rules manually setup one such as:

srczone: any

dstzone: any

srcip: any

dstip: any

user: any

application: any

action: deny

options: log on session start, log on session end

You should now see how your PA identifies the outgoing traffic from your FTP server (regarding active connection) in case this isnt matched to the ongoing incoming session.

For default deny in the bottom log on session start is the natural option for me (since the traffic is denied), however use also on session end for debugging since this will also include trafficvolume and identified application.

Re: ftp server

franck.lichnowski — Mon, 23 Apr 2012 08:33:03 GMT

omg,

the problem came from another network switch (Extreme Networks X650) in head of PA 4020.

The problem is come form this rule :

enable ip-security anomaly-protection tcp flags

Thanks for all replies.

Active now works with :

application : ftp

service : application default

Regards,

Franck.