https://live.paloaltonetworks.com/t5/general-topics/approach-to-manage-ftp/m-p/8277#M6109 <HTML><HEAD></HEAD><BODY><P>Besides a few business systems that have FTP needs - we block ftp unless you are a "domain" authenticated IT person. Initially we found a few domain or local system accounts that had a business need to FTP (and those we made accommodations for), but overall it was successful very early on. Provided most everyone in your environment logs into the domain - using AD users and groups within the rules works very slick. We also setup a daily report showing FTP usage, to keep an eye on IT usage and DLP. And we include Threat/AV/URL/Wildfire to the ftp allow rule.</P><P><BR />Initially we setup the rule in logging only for a few months to get a handle of who/what/when was happening for FTP.</P><P><BR />Cheers,</P><P><BR />Mike</P></BODY></HTML> Tue, 02 Apr 2013 12:49:22 GMT MGoodnow 2013-04-02T12:49:22Z https://live.paloaltonetworks.com/t5/general-topics/approach-to-manage-ftp/m-p/8275#M6107 <HTML><HEAD></HEAD><BODY><P>Based on recent research by Palo Alto there appears to be a greater emphasis needed&nbsp; on managing FTP.&nbsp; What approach have you found&nbsp; most easily to deploy?&nbsp; The two options I can think of are:</P><P></P><P>1. Controlling who can do FTP</P><P>2. Only allowing FTP access to trusted FTP sites</P><P></P><P>Any thoughts or ideas appreciated. </P><P></P><P>Phil</P></BODY></HTML> Mon, 01 Apr 2013 23:33:41 GMT https://live.paloaltonetworks.com/t5/general-topics/approach-to-manage-ftp/m-p/8275#M6107 HITSSEC 2013-04-01T23:33:41Z https://live.paloaltonetworks.com/t5/general-topics/approach-to-manage-ftp/m-p/8276#M6108 <HTML><HEAD></HEAD><BODY><P>Depends on your situation.</P><P></P><P>A regular web-browsing client usually doesnt have to be able to use ftp for daily use.</P><P></P><P>So if your case is to block malware reaching clients then the hole which you allow clients through should be as narrow as possible. And if possible also consider using terminalserver solutions or dedicated (virtual) appliances such as <A href="http://www.webconverger.com/" title="http://www.webconverger.com/">Webconverger - opensource Web Kiosk PC operating system</A></P><P></P><P>An easy way to achieve the above (in terms of PA configuration) is a combination of your suggestions.</P><P></P><P>First of all, not everyone should be allowed for ftp. And those who are will be limited to dedicated sites.</P><P></P><P>Im not sure if you can use url filtering for this but if you can then a somewhat healthy approach is to only allow sites which belongs to specific categories.</P><P></P><P>Also dont forget to enable AV scanning in PA for the traffic passing through.</P><P></P><P>A potential threat is encrypted ftp. There is both SFTP and FTPS. Im not sure if the SSL-termination in PA will help you that much with both of the cases (if any).</P></BODY></HTML> Tue, 02 Apr 2013 03:12:10 GMT https://live.paloaltonetworks.com/t5/general-topics/approach-to-manage-ftp/m-p/8276#M6108 mikand 2013-04-02T03:12:10Z https://live.paloaltonetworks.com/t5/general-topics/approach-to-manage-ftp/m-p/8277#M6109 <HTML><HEAD></HEAD><BODY><P>Besides a few business systems that have FTP needs - we block ftp unless you are a "domain" authenticated IT person. Initially we found a few domain or local system accounts that had a business need to FTP (and those we made accommodations for), but overall it was successful very early on. Provided most everyone in your environment logs into the domain - using AD users and groups within the rules works very slick. We also setup a daily report showing FTP usage, to keep an eye on IT usage and DLP. And we include Threat/AV/URL/Wildfire to the ftp allow rule.</P><P><BR />Initially we setup the rule in logging only for a few months to get a handle of who/what/when was happening for FTP.</P><P><BR />Cheers,</P><P><BR />Mike</P></BODY></HTML> Tue, 02 Apr 2013 12:49:22 GMT https://live.paloaltonetworks.com/t5/general-topics/approach-to-manage-ftp/m-p/8277#M6109 MGoodnow 2013-04-02T12:49:22Z