This is the only information I have found,
We don't presently have any SSL decryption so I am workign out how to get a trusted CERT workign first,
But would the rule need applciations FTP/SSL , it's unclear from the above post?
FTPS is basically FTP over SSL layer (do not confuse with SFTP), which means that since you enable SSL decryption you should see application "FTP". When you don't enable SSL decryption you will see application "SSL".
Just be carefull as often, FTPS service are running on exotic ports (I have many in my environment on port 90x or 120x it depends of the provider. In this case be sure to disable "default application" in the service tab (and use particular service or "any") otherwise your FW wil drop the traffic.
As @Laurent_Dormond pointed out this traffic really isn't any different than any other application that you would have to allow through the firewall. You'll simply need to identify the ports that this server is going to use and allow the identified applications on that range of ports. More that likley the only app-id that the firewall will see is going to be 'ssl' unless you start decrypting the traffic moving forward.
So initialy then, I will just enable SSL from the source to the destiantion on the expected port.
Perhaps in future once tested and working we would move to SSL Decryption and inspect the application inside the tunnel.
Right. You would just have a policy similar to something like
set rulebase security rules "Allow FTPS" from untrust to dmz source any destination FTPS-Server application ssl service [ FTPS service-https ] action allow log-end yes
Note that in this example I have an address object 'FTPS-Server' that ties to the destination address of the FTPS server that you would be using, and I've created a service object 'FTPS' that maps to tcp-990. You likely wouldn't want to actually allow a source 'any' in this policy and you would likely want to assign some security profile or security group to this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!