Enable FTP and FTPS for Active/Passive?

Reply
Highlighted
L4 Transporter

Enable FTP and FTPS for Active/Passive?

Hello Folks,

 

We have a CrushFTP server installed on a server behind our PA 3020 PANOS: 7.1.14, SSL decrypt not enabled.

Security Rule:

FTP_rule.jpg

 

NAT Rule:

FTP_NAT_rule.jpg

 

Trying to figure out why Active and Passive with FTP over TLS (SSL) will not retrieve the directory listing and will not complete connection.  Works fine with just FTP (insecure).

 

Do I need to add SSL to the security rule?

 

Filezilla client set to Active - FTP Only (Insecure) - Why do I not see the data transfer port 20 when I upload a file?

 

Active_FTP.jpg

 

Filezilla Client set to Active - FTP over TLS

 

Active_FTPS.jpg

 

Filezilla client set to Passive - FTP Only (Insecure)

 

Passive_FTP.jpg

 

Filezilla client set to Passive - FTP over TLS (SSL) - Does this mean that FTPS is detected as SSL and discarded because not added to the security rule?

 

Passive_FTPS.jpg

 

For reference:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Allow-FTPS-FTPES-Traffic-Through-...

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-Application-Override-fo...

 

Highlighted
L4 Transporter

No response so far.  I will close this thread by the end of the week.

Highlighted
Cyber Elite

@OMatlock,

You need SSL included in the policy if you are using FTPS and you aren't going to be decrypting the traffic. I suspect that the reason that you really haven't gotten any response is nobody here is using CrushFTP and therefore can't tell you which applications will actually be identified. 

It really sounds like what you need to do is actually see what the firewall is identifying the traffic and allow what it can see. Most of the traffic will likely actually identify as 'ssl' and be spread across whatever ports your FTPS server is actually using. You can see this easily if you temporarily build out an 'allow all' policy with one specific allowed testing IP and actually perfrom an upload and a download while logging the transactions. 

 

Just as an FYI the current Security Policy that you have specified really isn't that great since it has to allow a small amount of data to determine the application across all ports. I would verify which applications are actually coming across and then specify that application [ x y z ] can use services [ service-https whateverelse ] as you now have a much smaller threat vector.  

Highlighted
L2 Linker

We changed over to SFTP rather than FTPS and are much happier. The issue we had with FTPS is the random ports that are used were causing us issues. 

Highlighted
L4 Transporter

Thank you for the feedback!

Good advice about allow all and see the applications used in the traffic.

 

After that could narrow the rule to ftp and ssl (and or if other).

 

Will update.

Highlighted
L0 Member

Creating the application override for the FTPS works for me. 

Thanks!!!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!