This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

FTPS connections are not working

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

FTPS connections are not working

BigPalo
L4 Transporter

‎09-07-2018 02:33 AM - edited ‎09-07-2018 02:34 AM

Hi,

 

We have a inbound NAT for FTPS but the connections are not working. We can not see any deny in FWs.

We dont have decrypt SSL configured. I think it shouldnt be necessary, right?

Policy configures has "ssl" and "ftp" allowed. this is the ftp log:

 

 

Logs ftps.JPG

Why ftps connections are not working?? any dynamic port or something like that?

0 Likes Likes
3 REPLIES 3

Remo
L7 Applicator

‎09-07-2018 03:28 AM

@BigPalo

I assume you are using active FTP. In this case TLS decryption is required for the firewall to be able to see the negotiated port and to open the connection dynamically. But there might also be some more problems: As the data connection is initiated by the server towards the client in active FTP, the source NAT IP needs to be the same as the destination NAT IP from the inbound NAT rule.

 

But to make your situation easier, just use passive FTP and the connection (assuming that the required security policies are in place) will work without TLS decryption.

0 Likes Likes

AnalysisMan
L3 Networker

‎09-07-2018 07:21 PM

You won't be able to see the deny logs for the implicitly denied rule, unless you set to log it with a specific rule. You may try two options.

1) Add two Services Objects with TCP/20 and 21, and allow it on the Security Policies.

2) Do a packet capture while you are testing an FTP connection.

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.
0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to AnalysisMan

‎09-10-2018 11:29 AM

@AnalysisMan,

While creating a specific rule like you've mentioned would certaintly be an option, a better troubleshooting method would always be enabling logging on the default rules so that you capture all denied traffic and can filter as needed. Since there are additional considerations when using Active FTP its likely that this connection would actually fail prior to ever hitting the recommended security policy. 

0 Likes Likes
  • 3609 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks