How to Create an Application Override for FTP

Printer Friendly Page

Note: The following article outlines additional steps required in the event an app-override needs to be enabled for an active FTP connection. It is not required if app-override is not needed in the first place.

 

 

Overview

FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.

 

Details

Active FTP:

In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.

From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:

  • FTP server's port 21 from anywhere (Client initiates connection)
  • FTP server's port 21 to ports > 1023 (Server responds to client's control port)
  • FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port)
  • FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)

active.PNG.png

 

Passive FTP:

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:

  • FTP server's port 21 from anywhere (Client initiates connection)
  • FTP server's port 21 to ports > 1023 (Server responds to client's control port)
  • FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
  • FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)

passive.PNG.png

 

Steps

The Palo Alto Networks firewall supports application overrides and helps with applications that have special requirements.

To configure override for the FTP protocol the following could apply:

  1. Create a custom application that uses the FTP ports: 20,21 and the dynamic ports greater than 1024.
    application-custom.PNG.png
    application-custom1.PNG.png
    application-custom2.PNG.png
  2. Create an Application override Rule
    App override policy.PNG.png
    policy1.PNG.png
    policy2.PNG.png
    policy3.PNG.png
    policy4.PNG.png
  3. Make sure that there is a Security policy allowing the newly defined traffic  ( custom-ftp ) otherwise traffic for this application will be dropped.
    sec-policy.PNG.png
Comments
Is this really required just to allow PASV FTP through the firewall and if so doesn't this mean threat prevention for this protocol will be disable entirely ? In effect creating the application override for PASV FTP will stop us scanning this traffic for viruses and attacks. Its not 1992 any more. I would expect a Next Generation firewall should be able to handle PASV mode FTP in 2017.

Hi @AndrewCraick

 

No, this is not required, this article outlines what needs to be done in the event you need to enable app-override for some reason.

 

If you do not use an app override, App-ID will automatically create a predict session to accomodate the data connection originating from the server and create a reverse session once a data transfer is initiated even without an explicit policy to allow this flow (since it is outside to inside)

 

If you do need to create an app override, this predict session won't be created so additional steps are required to make ftp work under those conditions.

 

 

Hi @reaper

 

Do we see any reverse traffic (from server to client data traffic) in the logs if the application override is implemented for Active FTP ?

Hi,

 

i want to give  permission to acess FTP server  for one client IP .I have configured one policy as allow all application.

 

How can i do it.

****quote of full article removed for brevity****




They have configred only one policy to allow acess for all application.

 Is this necessary to give the Source Zone while creating this.Can we give only the source IP and Destination IP.

Hi @V.Alex

 

It's best practice to fill out as many fields as accurately as possible, but it is not mandatory. If you require the source/destination zone to be 'any', this is perfectly possible

 

I'm not sure what you mean by "They have configred only one policy to allow acess for all application."

There is a security policy that only allows the custom application

 

here's another articler that explains the concept of app overrides more broadly, hopefully this helps explain it a little more clearly: Getting Started: Custom applications and app override

Hi, 

 

 

if someone want to transfer the data over FTP, will it work, as we allowed port 21 on the app ID?

 

I have the requirement to allow FTPS (20/21/range of ports) , but i need to ensure i am blocking FTP so that we don't send the creds on clear text.