We have a inbound NAT for FTPS but the connections are not working. We can not see any deny in FWs.
We dont have decrypt SSL configured. I think it shouldnt be necessary, right?
Policy configures has "ssl" and "ftp" allowed. this is the ftp log:
Why ftps connections are not working?? any dynamic port or something like that?
I assume you are using active FTP. In this case TLS decryption is required for the firewall to be able to see the negotiated port and to open the connection dynamically. But there might also be some more problems: As the data connection is initiated by the server towards the client in active FTP, the source NAT IP needs to be the same as the destination NAT IP from the inbound NAT rule.
But to make your situation easier, just use passive FTP and the connection (assuming that the required security policies are in place) will work without TLS decryption.
You won't be able to see the deny logs for the implicitly denied rule, unless you set to log it with a specific rule. You may try two options.
1) Add two Services Objects with TCP/20 and 21, and allow it on the Security Policies.
2) Do a packet capture while you are testing an FTP connection.
While creating a specific rule like you've mentioned would certaintly be an option, a better troubleshooting method would always be enabling logging on the default rules so that you capture all denied traffic and can filter as needed. Since there are additional considerations when using Active FTP its likely that this connection would actually fail prior to ever hitting the recommended security policy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!