Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

ftp server

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ftp server

L1 Bithead

Hello,

I can't make active ftp working.

My ftp server is internal server (IP is public).

My policy accept ftp application on default ftp application in inboud (Internert -> ftp server).

How to make active session works ? Passive works fine.

Thanks.

Franck.

6 REPLIES 6

L5 Sessionator

Franck,

Please open a case with Support so that we can review your config and troubleshoot further.

Thanks,

Sri

L4 Transporter

Do you have a corresponding NAT rule for that incoming traffic ?

Hi Frank,


As said before, please confirm if there is appropriate NAT rule configured for FTP.

Similar to the following should be the security rule:-

Security Rule :-FTP-rule-Inbound

Source Zone:-  untrust (Outside zone)

Destination Zone:- trust  (inside zone)

Source Address:- any    

Destination Address:-64,123,23,20  (Public Ip of FTP Sever)

Application: FTP

Action:- Allow

ATTACHMENT:- FTP-rule.PNG

For incoming connection, what we call Destination NAT should be applied:-
It should look something like the following:-

NAT Rule:- FTP-inbound

Source Zone : Untrust  (Outside zone)

Desination Zone:- Untrust (Outside zone)

Source Address: Any

Destination Address:64,123,23,20  (Public Ip of FTP Sever)

Source Translation: None

Destination Translation:- 192.168.10.10 (Internal Ip of FTP Server)
ATTACHMENT:- NAT-inbound.PNG

Regards,

Parth

Hi Parth,

thanks for the reply.
NAT is not active. All my IP are publics, no internal private IP.

My rules is like this :

Security Rule : ftp-in
Source Zone:-  untrust (Outside zone)
Source Address:- any    
Destination Zone:- DR-LAN  (inside zone)
Destination Address:  194.57.xxx.xxx (Public Ip of FTP Sever)
Application: FTP (application default)
Action:- Allow


With this only passive connexion works. Active not. I don't know why.
I 'am on PANoS 4.0.10


I log all connexions, I never see any connexion in active : my server from port 20 to client (1024 - 65535).


With my old networks infrastructure (extreme networks) active works fine, so my server's configuration is fine.

May be it's because I let application ftp (service) with default ports (21) ?? May be I must set service on "any" ?

Regards.

You should still see the blocked flows in your traffic log.

Make sure that you in the end of your security rules manually setup one such as:

srczone: any

dstzone: any

srcip: any

dstip: any

user: any

application: any

action: deny

options: log on session start, log on session end

You should now see how your PA identifies the outgoing traffic from your FTP server (regarding active connection) in case this isnt matched to the ongoing incoming session.

For default deny in the bottom log on session start is the natural option for me (since the traffic is denied), however use also on session end for debugging since this will also include trafficvolume and identified application.

omg,

the problem came from another network switch (Extreme Networks X650) in head of PA 4020.

The problem is come form this rule :

enable ip-security anomaly-protection tcp flags

Thanks for all replies.

Active now works with :

application : ftp

service : application default

Regards,

Franck.

  • 5960 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!