topic Re: Guide to FTPS? in General Topics

Guide to FTPS?

RobinClayton — Mon, 11 Jun 2018 13:53:49 GMT

One of our partners is switching it's service to FTPS,

Does anyone know of a decent guide on implementing FTPS? I saw a brife article by "sdurga" but it's not very detailed.

We don't presently do any SSL decryption so unsure of what we need to do and what effect it may have on other parts of the system???

Thanks

Robin

Re: Guide to FTPS?

BPry — Mon, 11 Jun 2018 18:20:00 GMT

@RobinClayton,

Like what you have to enable on the firewall to get the traffic to be allowed through or what exactly are you looking for?

Re: Guide to FTPS?

RobinClayton — Tue, 12 Jun 2018 07:58:38 GMT

This is the only information I have found,

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Allow-FTPS-FTPES-Traffic-Through-the-Firewall/ta-p/55425

We don't presently have any SSL decryption so I am workign out how to get a trusted CERT workign first,

But would the rule need applciations FTP/SSL , it's unclear from the above post?

Thanks

Rob

Re: Guide to FTPS?

Laurent_Dormond — Tue, 12 Jun 2018 09:07:02 GMT

Hi,

FTPS is basically FTP over SSL layer (do not confuse with SFTP), which means that since you enable SSL decryption you should see application "FTP". When you don't enable SSL decryption you will see application "SSL".

Just be carefull as often, FTPS service are running on exotic ports (I have many in my environment on port 90x or 120x it depends of the provider. In this case be sure to disable "default application" in the service tab (and use particular service or "any") otherwise your FW wil drop the traffic.

Regards,

Re: Guide to FTPS?

BPry — Tue, 12 Jun 2018 12:44:58 GMT

@RobinClayton,

As @Laurent_Dormond pointed out this traffic really isn't any different than any other application that you would have to allow through the firewall. You'll simply need to identify the ports that this server is going to use and allow the identified applications on that range of ports. More that likley the only app-id that the firewall will see is going to be 'ssl' unless you start decrypting the traffic moving forward.

Re: Guide to FTPS?

RobinClayton — Tue, 19 Jun 2018 08:28:18 GMT

So initialy then, I will just enable SSL from the source to the destiantion on the expected port.

Perhaps in future once tested and working we would move to SSL Decryption and inspect the application inside the tunnel.

Cheers

Rob

Re: Guide to FTPS?

BPry — Tue, 19 Jun 2018 15:16:15 GMT

@RobinClayton,

Right. You would just have a policy similar to something like

set rulebase security rules "Allow FTPS" from untrust to dmz source any destination FTPS-Server application ssl service [ FTPS service-https ] action allow log-end yes

Note that in this example I have an address object 'FTPS-Server' that ties to the destination address of the FTPS server that you would be using, and I've created a service object 'FTPS' that maps to tcp-990. You likely wouldn't want to actually allow a source 'any' in this policy and you would likely want to assign some security profile or security group to this.