I have a "HA" pair of firewalls in Azure sitting behind an external Load Balancer. I have a FTP server that I have to configure behind the firewalls. I am able to connect locally to the FTP server and it works as expected, but when I point the FTP client to the Public IP address of the LB, I am able to connect, but not get the directory. I am using passive FTPS. I see the connection in the traffic table, and it has NAT applied and Allowed by the correct Security Rule. I am thinking it may be Azure causing the issue, but am unsure at this point.
Any suggestions would be greatly appreciated.
Are the PAN's active/passive or active/active? If A/A, its proably asymetric routing back to the client.
Just a thought.
What is your NAT configuration? You should have both a Destination NAT of the FTP server and a Source NAT of the Trust side interface of the Firewall in the NAT policy. That will ensure proper return path.
Are you using FTP or FTPS? I see both mentioned in your post. Also, when you say you see the connection in the traffic table, do you see both the control and data channels or just the control?
One thing to look at is the distribution mode on the load balancer:
If you are using 'None' as the distribution mode, the load balancer will use src IP, src port, dst IP, dst port, and protocol to determine the backend pool member to use. If the control channel lands on one FW and the data channel on the other, the data channel will be dropped. Changing to one of the other distribution algorithms ("src IP" or "src IP and protocol") should ensure that both land on the same FW.
I am using FTPS, but also tested with FTP. I am using Src IP and Protocol for the transmission of the packets thorugh the load balancer. I have other services working as expected on the PAs. As far as traffic, I only see the control traffic in the monitor tab.
The firewalls are in an A/A setup, but Azure doesn't really do HA, so they don't syncronize the session information.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!