Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-12-2012 02:32 AM
Hello,
I can't make active ftp working.
My ftp server is internal server (IP is public).
My policy accept ftp application on default ftp application in inboud (Internert -> ftp server).
How to make active session works ? Passive works fine.
Thanks.
Franck.
04-21-2012 05:59 PM
Hi Frank,
As said before, please confirm if there is appropriate NAT rule configured for FTP.
Similar to the following should be the security rule:-
Security Rule :-FTP-rule-Inbound
Source Zone:- untrust (Outside zone)
Destination Zone:- trust (inside zone)
Source Address:- any
Destination Address:-64,123,23,20 (Public Ip of FTP Sever)
Application: FTP
Action:- Allow
ATTACHMENT:- FTP-rule.PNG
For incoming connection, what we call Destination NAT should be applied:-
It should look something like the following:-
NAT Rule:- FTP-inbound
Source Zone : Untrust (Outside zone)
Desination Zone:- Untrust (Outside zone)
Source Address: Any
Destination Address:64,123,23,20 (Public Ip of FTP Sever)
Source Translation: None
Destination Translation:- 192.168.10.10 (Internal Ip of FTP Server)
ATTACHMENT:- NAT-inbound.PNG
Regards,
Parth
04-23-2012 01:05 AM
Hi Parth,
thanks for the reply.
NAT is not active. All my IP are publics, no internal private IP.
My rules is like this :
Security Rule : ftp-in
Source Zone:- untrust (Outside zone)
Source Address:- any
Destination Zone:- DR-LAN (inside zone)
Destination Address: 194.57.xxx.xxx (Public Ip of FTP Sever)
Application: FTP (application default)
Action:- Allow
With this only passive connexion works. Active not. I don't know why.
I 'am on PANoS 4.0.10
I log all connexions, I never see any connexion in active : my server from port 20 to client (1024 - 65535).
With my old networks infrastructure (extreme networks) active works fine, so my server's configuration is fine.
May be it's because I let application ftp (service) with default ports (21) ?? May be I must set service on "any" ?
Regards.
04-23-2012 01:12 AM
You should still see the blocked flows in your traffic log.
Make sure that you in the end of your security rules manually setup one such as:
srczone: any
dstzone: any
srcip: any
dstip: any
user: any
application: any
action: deny
options: log on session start, log on session end
You should now see how your PA identifies the outgoing traffic from your FTP server (regarding active connection) in case this isnt matched to the ongoing incoming session.
For default deny in the bottom log on session start is the natural option for me (since the traffic is denied), however use also on session end for debugging since this will also include trafficvolume and identified application.
04-23-2012 01:33 AM
omg,
the problem came from another network switch (Extreme Networks X650) in head of PA 4020.
The problem is come form this rule :
enable ip-security anomaly-protection tcp flags
Thanks for all replies.
Active now works with :
application : ftp
service : application default
Regards,
Franck.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
