FTP Inbound Decrypt Issues

cancel
Showing results for 
Search instead for 
Did you mean: 

FTP Inbound Decrypt Issues

L4 Transporter

Ok, I'm at my wit's end with TAC.. after 7 months of explaining the issues, collecting logs, and then starting over when a new agent takes the case, I'm hoping the community can help me.

 

I've had inbound decryption set up for our FTP server for some time.  We noticed an issue after updating to 10.0.8 (we're now on 10.1.5-h1 ) where people seemed to not be able to connect anymore.  After investigating, it appears that in Filezilla they are actually able to connect but it looks like they aren't because a TLS error occurs and the LIST command fails.  Right-clicking on the remote side and hitting Refresh several times will often eventually complete the directory listing.  This is with FTPS set to "Require explicit FTP over TLS" and with the Transfer Method set to Default (which I think may be Passive). This issue appears to be intermittent and sometimes it seems to connect fine.

 

Further investigation also showed the following:

  • The TLS error mentioned above when the LIST command fails is "GnuTLS error -110:  The TLS connection was non-properly terminated." followed by "Server did not properly shut down TLS connection" followed by "The data connection could not be established: ECONNABORTED - Connection Aborted" and then followed by "Failed to retrieve the directory listing".  Decryption logs GUI shows "General TLS Protocol Error" when this happens.
  • Error showing: "Server sent unsorted certificate chain in violation of the TLS specifications" at the start of each connection attempt
  • Changing the Transfer Method to Active seems to make it more reliable as far as connecting without a TLS error and getting the directory listed automatically (it still complains about the certificate chain)
  • Even with Active set, we then sometimes get a message indicating that the connection isn't secure because the server previously was detected as supporting TLS session resumption (I'm assuming this was either working before through the Palo and now it isn't or it's because when we've tested we've connected directly to the server which supports it)
  • Trying another client, WinSCP also doesn't list the directory on Passive.. it works when changed to Active.  I have no idea if it is getting any errors/warnings as I haven't noticed if there is a log view in that software.
  • Turning off the decryption rule resolves all of the issues.. the FTP connection is also a lot less verbose (in another words, when decryption is turned on there is a lot more chatting with commands/responses between the client and the firewall/server)

It looks like someone else has run into an issue like this before with Passive FTP and it was related to an issue with the content packs

https://live.paloaltonetworks.com/t5/general-topics/passive-ftp/td-p/11573

 

Anyone else having any issues or have any experience in what I can do to resolve this?

 

Thanks!

1 REPLY 1

Cyber Elite
Cyber Elite

Hi @jsalmans 

What was the last version when it was working? How does the decryption profile and rule look like that you cobfigured? How did you prepare the certificate file that you used for the inbound decryption? According to the error message you placed the intermediate certificate authority file at the wrong location in the file. Are there any decryption errors in the log on the paloalto firewall? What did TAC do so far with troubleshooting and whar were the results?

I think this issue should be solvable but I need some more information and more details about the steps taken and current config.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!