Guide to FTPS?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Guide to FTPS?

L4 Transporter

One of our partners is switching it's service to FTPS,

 

Does anyone know of a decent guide on implementing FTPS? I saw a brife article by "sdurga" but it's not very detailed.

 

We don't presently do any SSL decryption so unsure of what we need to do and what effect it may have on other parts of the system???

 

Thanks

 

Robin

6 REPLIES 6

Cyber Elite
Cyber Elite

@RobinClayton,

Like what you have to enable on the firewall to get the traffic to be allowed through or what exactly are you looking for? 

 

This is the only information I have found,

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Allow-FTPS-FTPES-Traffic-Through-...

 

 

 

We don't presently have any SSL decryption so I am workign out how to get a trusted CERT workign first,

 

But would the rule need applciations FTP/SSL , it's unclear from the above post?

 

Thanks

 

Rob 

 

L3 Networker

Hi,

 

FTPS is basically FTP over SSL layer (do not confuse with SFTP), which means that since you enable SSL decryption you should see application "FTP". When you don't enable SSL decryption you will see application "SSL".

 

Just be carefull as often, FTPS service are running on exotic ports (I have many in my environment on port 90x or 120x it depends of the provider. In this case be sure to disable "default application" in the service tab (and use particular service or "any")  otherwise your FW wil drop the traffic.

 

Regards,

@RobinClayton,

As @Laurent_Dormond pointed out this traffic really isn't any different than any other application that you would have to allow through the firewall. You'll simply need to identify the ports that this server is going to use and allow the identified applications on that range of ports. More that likley the only app-id that the firewall will see is going to be 'ssl' unless you start decrypting the traffic moving forward. 

So initialy then,  I will just enable SSL from the source to the destiantion on the expected port.

 

Perhaps in future once tested and working we would move to SSL Decryption and inspect the application inside the tunnel.

 

 

Cheers

 

Rob

@RobinClayton,

Right. You would just have a policy similar to something like 

set rulebase security rules "Allow FTPS" from untrust to dmz source any destination FTPS-Server application ssl service [ FTPS service-https ] action allow log-end yes

Note that in this example I have an address object 'FTPS-Server' that ties to the destination address of the FTPS server that you would be using, and I've created a service object 'FTPS' that maps to tcp-990. You likely wouldn't want to actually allow a source 'any' in this policy and you would likely want to assign some security profile or security group to this. 

  • 6389 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!