topic Re: Enable FTP and FTPS for Active/Passive? in General Topics

Enable FTP and FTPS for Active/Passive?

OMatlock — Mon, 25 Jun 2018 15:37:27 GMT

Hello Folks,

We have a CrushFTP server installed on a server behind our PA 3020 PANOS: 7.1.14, SSL decrypt not enabled.

Security Rule:

NAT Rule:

Trying to figure out why Active and Passive with FTP over TLS (SSL) will not retrieve the directory listing and will not complete connection. Works fine with just FTP (insecure).

Do I need to add SSL to the security rule?

Filezilla client set to Active - FTP Only (Insecure) - Why do I not see the data transfer port 20 when I upload a file?

Filezilla Client set to Active - FTP over TLS

Filezilla client set to Passive - FTP Only (Insecure)

Filezilla client set to Passive - FTP over TLS (SSL) - Does this mean that FTPS is detected as SSL and discarded because not added to the security rule?

For reference:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Allow-FTPS-FTPES-Traffic-Through-the-Firewall/ta-p/55425

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-Application-Override-for-FTP/ta-p/58420

Re: Enable FTP and FTPS for Active/Passive?

OMatlock — Wed, 27 Jun 2018 11:42:10 GMT

No response so far. I will close this thread by the end of the week.

Re: Enable FTP and FTPS for Active/Passive?

BPry — Wed, 27 Jun 2018 15:39:42 GMT

@OMatlock,

You need SSL included in the policy if you are using FTPS and you aren't going to be decrypting the traffic. I suspect that the reason that you really haven't gotten any response is nobody here is using CrushFTP and therefore can't tell you which applications will actually be identified.

It really sounds like what you need to do is actually see what the firewall is identifying the traffic and allow what it can see. Most of the traffic will likely actually identify as 'ssl' and be spread across whatever ports your FTPS server is actually using. You can see this easily if you temporarily build out an 'allow all' policy with one specific allowed testing IP and actually perfrom an upload and a download while logging the transactions.

Just as an FYI the current Security Policy that you have specified really isn't that great since it has to allow a small amount of data to determine the application across all ports. I would verify which applications are actually coming across and then specify that application [ x y z ] can use services [ service-https whateverelse ] as you now have a much smaller threat vector.

Re: Enable FTP and FTPS for Active/Passive?

dstjames — Wed, 27 Jun 2018 15:42:57 GMT

We changed over to SFTP rather than FTPS and are much happier. The issue we had with FTPS is the random ports that are used were causing us issues.

Re: Enable FTP and FTPS for Active/Passive?

OMatlock — Wed, 27 Jun 2018 21:58:23 GMT

Thank you for the feedback!

Good advice about allow all and see the applications used in the traffic.

After that could narrow the rule to ftp and ssl (and or if other).

Will update.

Re: Enable FTP and FTPS for Active/Passive?

AnthonyChanTBPH — Wed, 09 Sep 2020 06:11:42 GMT

Creating the application override for the FTPS works for me.

Thanks!!!