ftps/ftpes

Reply
Highlighted
Not applicable

ftps/ftpes

How can I allow an FTPS (FTPES) connection?  I assume the PA tracks an FTP connection and understands the related data connection.  Does it understand FTPS?  If I set a policy for ftp, it fails when it tries to open a data connection.

Kim


Accepted Solutions
Highlighted
L6 Presenter

Hi Kim,

In order to allow ftps or ftpes we need to do ssl decryptioin. We identify the FTPS control connection as SSL.Since it FTPS is over SSL we donot have any visibility into application and we identify it as SSL connection. If we allow only SSL in our security than we will allow only control connection for the FTPS but not the data connection.

The control session will work fine by just allowing the ssl application but the actual data session (the file transfer) will not work because Paloalto will block that file transfer as that transfer takes on a different set of ports rather than the port 990 that is used for FTPS control connection. So for you to get the FTPS working you will have to do SSL decryption.

I have attached a doc about SSL decryption which I found in the discussions and its really good. Please have a look at it

Thanks,

Sandeep T

View solution in original post


All Replies
Highlighted
L6 Presenter

Hi Kim,

In order to allow ftps or ftpes we need to do ssl decryptioin. We identify the FTPS control connection as SSL.Since it FTPS is over SSL we donot have any visibility into application and we identify it as SSL connection. If we allow only SSL in our security than we will allow only control connection for the FTPS but not the data connection.

The control session will work fine by just allowing the ssl application but the actual data session (the file transfer) will not work because Paloalto will block that file transfer as that transfer takes on a different set of ports rather than the port 990 that is used for FTPS control connection. So for you to get the FTPS working you will have to do SSL decryption.

I have attached a doc about SSL decryption which I found in the discussions and its really good. Please have a look at it

Thanks,

Sandeep T

View solution in original post

Highlighted
L0 Member

I believe this is working in 5.0.4 without decryption. I have a single policy that permits the ftp and ssl applications to my IIS7 FTP server.

At first I thought I'd made a mistake, so I checked the following:

1)  Is the ftp server allowing unencrypted traffic? Tested: No (it will not accept regular FTP connections)

2)  Is my policy erroneously allowing ALL traffic? Tested: No

3)  Is only the control channel encrypted and data is unencrypted? I wiresharked my traffic while transferring an ASCII file, and the data stream definitely looks encrypted. That and IIS is configured to encrypt both.

Can anyone confirm that recent firmware does indeed "understand" the FTPS protocol when you specify both ftp and ssl as permitted applications?

Highlighted
L4 Transporter

I just faced the ftps issue and was searching the community articles. For me the problem was not resolved by adding SSL. The data connection did not work. The app was using range of high ports which I ended up allowing as service and solved the issue. I did not attempt ssl decryption since I had to fix it ASAP :).

Highlighted
L7 Applicator

you'll need to enable ssl decryption as those high ports are negotiated in the initial ftp (control) connection. only by looking inside the encrypted session can the firewall determine which ports will be used for the data session and will a predict session be created to properly handle the high port session

 

 

hope this helps

Tom

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Highlighted
L1 Bithead

Hi, what about when the inbound traffic is explicit FTPS where the control channel is over port 21 and data is high ranged ports as SSL.


In our case port 21 is being seen as FTP app-id and the high-ranged ports are seen as SSL.   We need a way to detect this and restrict regular FTP.  Any suggestions? TIA...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!