https://live.paloaltonetworks.com/t5/general-topics/ftps-connections-are-not-working/m-p/230225#M66187 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15381">@AnalysisMan</a>,</P><P>While creating a specific rule like you've mentioned would certaintly be an option, a better troubleshooting method would always be enabling logging on the default rules so that you capture all denied traffic and can filter as needed. Since there are additional considerations when using Active FTP&nbsp;its likely that this connection would actually fail prior to ever hitting the recommended security policy.&nbsp;</P> Mon, 10 Sep 2018 18:29:48 GMT BPry 2018-09-10T18:29:48Z https://live.paloaltonetworks.com/t5/general-topics/ftps-connections-are-not-working/m-p/229941#M66108 <P>Hi,</P><P>&nbsp;</P><P>We have a inbound NAT for FTPS but the connections are not working. We can not see any deny in FWs.</P><P>We dont have decrypt SSL configured. I think it shouldnt be necessary, right?</P><P>Policy configures has "ssl" and "ftp" allowed. this is the ftp log:</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Logs ftps.JPG" style="width: 343px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16472iFD8E696E8209C787/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Logs ftps.JPG" alt="Logs ftps.JPG" /></span></P><P>Why ftps connections are not working?? any dynamic port or something like that?</P> Fri, 07 Sep 2018 09:34:30 GMT https://live.paloaltonetworks.com/t5/general-topics/ftps-connections-are-not-working/m-p/229941#M66108 BigPalo 2018-09-07T09:34:30Z https://live.paloaltonetworks.com/t5/general-topics/ftps-connections-are-not-working/m-p/229952#M66109 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85066">@BigPalo</a></P><P>I assume you are using active FTP. In this case TLS decryption is required for the firewall to be able to see the negotiated port and to open the connection dynamically. But there might also be some more problems: As the data connection is initiated by the server towards the client in active FTP, the source NAT IP needs to be the same as the destination NAT IP from the inbound NAT rule.</P><P>&nbsp;</P><P>But to make your situation easier, just use passive FTP and the connection (assuming that the required security policies are in place) will work without TLS decryption.</P> Fri, 07 Sep 2018 10:28:06 GMT https://live.paloaltonetworks.com/t5/general-topics/ftps-connections-are-not-working/m-p/229952#M66109 Remo 2018-09-07T10:28:06Z https://live.paloaltonetworks.com/t5/general-topics/ftps-connections-are-not-working/m-p/230072#M66157 <P>You won't be able to see the deny logs for the implicitly denied rule, unless you set to log it with a specific rule. You may try two options.</P><P>1) Add two Services Objects with TCP/20 and 21, and allow it on the Security Policies.</P><P>2) Do a packet capture while you are testing an FTP connection.</P> Sat, 08 Sep 2018 02:21:33 GMT https://live.paloaltonetworks.com/t5/general-topics/ftps-connections-are-not-working/m-p/230072#M66157 AnalysisMan 2018-09-08T02:21:33Z https://live.paloaltonetworks.com/t5/general-topics/ftps-connections-are-not-working/m-p/230225#M66187 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15381">@AnalysisMan</a>,</P><P>While creating a specific rule like you've mentioned would certaintly be an option, a better troubleshooting method would always be enabling logging on the default rules so that you capture all denied traffic and can filter as needed. Since there are additional considerations when using Active FTP&nbsp;its likely that this connection would actually fail prior to ever hitting the recommended security policy.&nbsp;</P> Mon, 10 Sep 2018 18:29:48 GMT https://live.paloaltonetworks.com/t5/general-topics/ftps-connections-are-not-working/m-p/230225#M66187 BPry 2018-09-10T18:29:48Z