FTPS connection impossible with AntiVirus, AntiSpyware or vulnerability protection is enabled

Reply
L1 Bithead

FTPS connection impossible with AntiVirus, AntiSpyware or vulnerability protection is enabled

I have an FTPS server behind the PA. When I enable either AntiVirus, AntiSpyware or vulnerability protection with default profiles it is impossible to connect to the FTP server over TLS. The below errors are seen. When I disable these protections I'm able to connect.

 

Regards,

Han.

 

Command: PASV
Response: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,194,31).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: GnuTLS error -15: An unexpected TLS packet was received.
Error: The data connection could not be established: ECONNABORTED - Connection aborted
Response: 226-Directory has 53,565,587,456 bytes of disk space available.
Response: 226 Transfer complete.
Error: Failed to retrieve directory listing

Error: GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Error: Could not read from socket: ECONNABORTED - Connection aborted

L6 Presenter

Hi @Han.Valk Did you checked threat logs for below traffic? Threat logs will give you more clarity for this connection. It will give you specific threat ID and/or signature which is getting match and causing issues.

Mayur S.
L1 Bithead

The threat log is showing nothing regarding FTP.

Cyber Elite

What are the Traffic logs in the firewall reporting?

 


@Han.Valk wrote:

I have an FTPS server behind the PA. When I enable either AntiVirus, AntiSpyware or vulnerability protection with default profiles it is impossible to connect to the FTP server over TLS. The below errors are seen. When I disable these protections I'm able to connect.

 

Regards,

Han.

 

Command: PASV
Response: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,194,31).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: GnuTLS error -15: An unexpected TLS packet was received.
Error: The data connection could not be established: ECONNABORTED - Connection aborted
Response: 226-Directory has 53,565,587,456 bytes of disk space available.
Response: 226 Transfer complete.
Error: Failed to retrieve directory listing

Error: GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Error: Could not read from socket: ECONNABORTED - Connection aborted


 

L1 Bithead

The traffic logs show that without protection the control channel on port 21 is decrypted and the data channel isn't plus I am able to transfer files.

With protection enabled sometimes I am able to connect and in that case the data channel is also being decrypted. A lot of the time however I'm not able to connect. The FTP client shows the errors mentioned earlier.

 

 

L6 Presenter

Hi @Han.Valk ,

 

Can you please confirm below points,

 

1. Do you see session end result as threat under traffic logs for connection failures?

2. Also do you also have any file blocking profile configured on the same policy along with other mentioned profiles?

 

Also as you are not able to see any threat logs, you can also verify through cli using below command and see if threat logs are coming.

 

show log threat direction equal backward

 

Mayur S.
L1 Bithead

Hi Mayur,

 

  1. There is no threat regarding the FTP connection being logged.
  2. There is no file blocking policy configured as shown below.

Untitled1.png

The logs show noting out of the ordinary, no drops, no denies.

 

Regards,

Han.

 

L1 Bithead

The output from show log threat direction equal backward is showing the same stuff as the GUI log, nothing regarding FTP.

L6 Presenter

Hi @Han.Valk ,

 

Without logs it would be very difficult to know which of the specific threat/signature is actually causing issues to the FTP requests.

You can take a packet capture on the firewall and see if it helps you.

Mayur S.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!