12-23-2020 05:16 AM
I have an FTPS server behind the PA. When I enable either AntiVirus, AntiSpyware or vulnerability protection with default profiles it is impossible to connect to the FTP server over TLS. The below errors are seen. When I disable these protections I'm able to connect.
Regards,
Han.
Command: PASV
Response: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,194,31).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: GnuTLS error -15: An unexpected TLS packet was received.
Error: The data connection could not be established: ECONNABORTED - Connection aborted
Response: 226-Directory has 53,565,587,456 bytes of disk space available.
Response: 226 Transfer complete.
Error: Failed to retrieve directory listing
Error: GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Error: Could not read from socket: ECONNABORTED - Connection aborted
12-23-2020 05:50 AM
Hi @Han.Valk Did you checked threat logs for below traffic? Threat logs will give you more clarity for this connection. It will give you specific threat ID and/or signature which is getting match and causing issues.
12-23-2020 06:04 AM
The threat log is showing nothing regarding FTP.
12-23-2020 06:23 AM
What are the Traffic logs in the firewall reporting?
@Han.Valk wrote:
I have an FTPS server behind the PA. When I enable either AntiVirus, AntiSpyware or vulnerability protection with default profiles it is impossible to connect to the FTP server over TLS. The below errors are seen. When I disable these protections I'm able to connect.
Regards,
Han.
Command: PASV
Response: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,194,31).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: GnuTLS error -15: An unexpected TLS packet was received.
Error: The data connection could not be established: ECONNABORTED - Connection aborted
Response: 226-Directory has 53,565,587,456 bytes of disk space available.
Response: 226 Transfer complete.
Error: Failed to retrieve directory listingError: GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Error: Could not read from socket: ECONNABORTED - Connection aborted
12-23-2020 08:36 AM
The traffic logs show that without protection the control channel on port 21 is decrypted and the data channel isn't plus I am able to transfer files.
With protection enabled sometimes I am able to connect and in that case the data channel is also being decrypted. A lot of the time however I'm not able to connect. The FTP client shows the errors mentioned earlier.
12-23-2020 10:10 AM
Hi @Han.Valk ,
Can you please confirm below points,
1. Do you see session end result as threat under traffic logs for connection failures?
2. Also do you also have any file blocking profile configured on the same policy along with other mentioned profiles?
Also as you are not able to see any threat logs, you can also verify through cli using below command and see if threat logs are coming.
show log threat direction equal backward
12-23-2020 11:21 PM
Hi Mayur,
The logs show noting out of the ordinary, no drops, no denies.
Regards,
Han.
12-23-2020 11:27 PM
The output from show log threat direction equal backward is showing the same stuff as the GUI log, nothing regarding FTP.
12-26-2020 02:58 AM
Hi @Han.Valk ,
Without logs it would be very difficult to know which of the specific threat/signature is actually causing issues to the FTP requests.
You can take a packet capture on the firewall and see if it helps you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
