topic Re: Passive FTP in General Topics

Passive FTP

andyyps — Thu, 24 Mar 2011 22:01:49 GMT

Hi,

Is there any trick to allow passive FTP inbound?

I have set a security rule to allow APPLICATION-FTP inbound, and a NAT rule to let Port 21 inbound. Works fine for ACTIVE, but PASSIVE fails at the LIST command.

Help would be appreciated.

Thanks.

Dean

Re: Passive FTP

gsamuels — Fri, 25 Mar 2011 02:12:25 GMT

Application FTP covers both activ and passive ftp, unless you have it set for application default on the policy there should be no reason for us to drop this traffic.

We may need to take a closer look at your policy.

Re: Passive FTP

KGC — Tue, 03 May 2011 03:45:25 GMT

I am confused - so we should *not* set our FTP policy for application-default?

We are having the same issues - our outbound FTP (using the ftp application and application-default service) will only allow active mode FTP. Yet oddly, out inbound FTP rule using the same configuration is working for both PASV and active mode.

???

Re: Passive FTP

mjacobsen — Tue, 03 May 2011 05:33:08 GMT

It is possible you are running into an issue we recently uncovered with NAT when a client and server both support FTP extensions and use EPSV/EPRT instead of the normal PASV/PORT commands for active connections. This is being addressed and should be fixed in an upcoming content release. If either the client or the server do not advertise support for those extensions, everything will work fine through NAT.

Mike

Re: Passive FTP

KGC — Tue, 03 May 2011 16:46:54 GMT

Thanks - so what would be the work-around in the meantime?

Specifically, we have users who use IE/Windows Explorer as their FTP client to transfer files to and from our internal server in the DMZ. They have always had the "Use Passive" options checked which worked until we moved to the PA firewalls. Now it does not work.

The same FTP server (using an identical security rule) performs fine externally using PASV mode.

The only difference, as you mentioned, is the NAT rule: from the trust zone it uses a dynamic ip-and-port source translation, and from untrust it uses destination translation on TCP 21.

Is there anything we can do on the firewall to work around this issue?

Re: Passive FTP

camkim_MDEA — Wed, 04 May 2011 18:38:41 GMT

If we roll back from the threat updates dated 5/3, is that a temporary workaround? Been on hold for 15 minutes, trying to talk somebody about this.

Re: Passive FTP

bpappas — Wed, 04 May 2011 18:54:58 GMT

Reverting to the 243 content release will fix the issue.

The 244 content has been pulled and the content team is currently working on a fix.

-Benjamin

Re: Passive FTP

KGC — Wed, 04 May 2011 19:22:57 GMT

Hmm, but we never ran on this version of content updates on our firewalls. Panorama did download and apply it locally, but the firewalls aren't set to auto-apply.

And I just saw the retraction accouncement posted here - is there any way to subscribe to these?

Re: Passive FTP

bpappas — Wed, 04 May 2011 19:58:22 GMT

@Ksemenov:

currently you have two options:

1. subscribe to the PA Networks Support Team Twitter feed: pantwks_support

2. keep an eye on the top page of our Knowledge Point site for important announcements

We are working on enhancing this further to improve customer visibility on important issues.

-Benjamin

Re: Passive FTP

joshsmtech — Wed, 04 May 2011 21:00:26 GMT

Yes, we are having the same issue with passive FTP. Traffic is getting blocked by the implicit deny rule I have in place, probably because NAT is messing with the connection. I was able to get around temporarily by permitting all port from our source IP to the specific remote IP. This was temporary from one of our critical transfer. I just reverted back to Content Update 243 and am waiting for our sysadmin to test again.

Re: Passive FTP

joshsmtech — Wed, 04 May 2011 21:11:25 GMT

Rolled back to 243 and all works well now.

Re: Passive FTP

KGC — Wed, 04 May 2011 22:27:00 GMT

Perfect - thanks.

This finally gives me a reason to even consider looking at Twitter

Re: Passive FTP

dagibbs — Thu, 05 May 2011 01:47:36 GMT

bpappas wrote:

Reverting to the 243 content release will fix the issue.

The 244 content has been pulled and the content team is currently working on a fix.

-Benjamin

Don't these things get tested before release? Especially when it's a modified decoder?

This had a massive impact on my company's business until I traced the issues to the time the update was applied and rolled back tot he previous version. I'm not imrpessed - especially given how much subscribing to updates for this service costs!

Re: Passive FTP

MGoodnow — Thu, 05 May 2011 13:47:01 GMT

Feature Request - could the Threat Content and App Content be seperated into 2 packages? I want to get Threat Content as it becomes available - but seeing how there have been a few instances where decoder updates have affected business related activities - would like to hold off on App updates until they have had more wide-spread acceptance. Thank you.

Cheers,

Mike

Re: Passive FTP

MGoodnow — Thu, 05 May 2011 13:56:24 GMT

Content update 245-965 has resolved our FTP issue. Thanks for quickly getting us the fix!

Re: Passive FTP

mharding — Thu, 05 May 2011 18:56:22 GMT