I need to block FTP communication - however, I do not want to block downloads that come through a browser - which can utilizes FTP over HTTP. Would this configuration theoretically work? Curious if anyone has made that work - before I get into testing mode.
Rule1 - any/any - FTP Application - HTTP Service/Port80 - ALLOW
Rule2 - any/any - FTP Application - Any Services - DENY
Would rule 1 allow a user to download a software update that utilizes ftp over port 80 - and rule 2 deny the user from using a FTP application for uploading or downloading straight port 21?
The web browser is an ftp client and for this reason doesn't tunnel ftp over http but simply use port 21.
You also have to consider that if you are using ftp-passive mode the server destination port could change from 21 during file transfer.
Otherwise, you have to use ftp-active mode (bad thing, bacause you need to open > 1023 ports to you local net from Internet).
Unfortunately, you can configure http-get and http-put parameters but I didn'f find ftp-put in custom applications.
You can allow ftp and put service as "application-default" which should help you to allow ftp traffic only. For FTP using browser as the client it is actually running the standard ftp at the background.
For FTP put and and get, we do have a custom vulnerability sig shared in devcenter that you can use. You can enable vul profile and put the "ftp put" as "block" action.
I found that when I deny "ftp" - that you can no longer download from hp.com. It shows in the logs as "web-browsing". This was my thought earlier that is does some type of ftp over port 80. The log never shows a ftp connection only 80. When I allow "ftp" again - then you can download - and it still stays on port 80.
I had tried to enter in the custom signatures - but received an error upon commit. Had to remove them.
I just tried to download some drivers from hp.com, and I saw three logs:
1. web-browsing- which is normal as it is the traffic before I click download from the website
2. ftp control connection running over standard port 21
3. ftp data connection running in high port range
I am not sure why you are not seeing the ftp log. Are you using log at session end or log at session start (you can check it when you click option of a policy). If you are using log at session end you should see things similar to me.
Thank you very much for taking the time to confirm that. Yes, after running a packet capture was also able to see that it does indeed switch over to a ftp url. I am logging at session end. Looking into why there was no entry for anything after "web-browsing". Will open a case with support if I finding nothing. Possible it could of been timing in the logs - but after a minute or two, never saw the new ftp entry. However, logging aside - glad to know that the communication is ftp and will work on some type of whitlisting approach. Thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!