- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-11-2018 06:53 AM
One of our partners is switching it's service to FTPS,
Does anyone know of a decent guide on implementing FTPS? I saw a brife article by "sdurga" but it's not very detailed.
We don't presently do any SSL decryption so unsure of what we need to do and what effect it may have on other parts of the system???
Thanks
Robin
06-11-2018 11:20 AM
Like what you have to enable on the firewall to get the traffic to be allowed through or what exactly are you looking for?
06-12-2018 12:58 AM
This is the only information I have found,
We don't presently have any SSL decryption so I am workign out how to get a trusted CERT workign first,
But would the rule need applciations FTP/SSL , it's unclear from the above post?
Thanks
Rob
06-12-2018 02:07 AM
Hi,
FTPS is basically FTP over SSL layer (do not confuse with SFTP), which means that since you enable SSL decryption you should see application "FTP". When you don't enable SSL decryption you will see application "SSL".
Just be carefull as often, FTPS service are running on exotic ports (I have many in my environment on port 90x or 120x it depends of the provider. In this case be sure to disable "default application" in the service tab (and use particular service or "any") otherwise your FW wil drop the traffic.
Regards,
06-12-2018 05:44 AM
As @Laurent_Dormond pointed out this traffic really isn't any different than any other application that you would have to allow through the firewall. You'll simply need to identify the ports that this server is going to use and allow the identified applications on that range of ports. More that likley the only app-id that the firewall will see is going to be 'ssl' unless you start decrypting the traffic moving forward.
06-19-2018 01:25 AM - edited 06-19-2018 01:28 AM
So initialy then, I will just enable SSL from the source to the destiantion on the expected port.
Perhaps in future once tested and working we would move to SSL Decryption and inspect the application inside the tunnel.
Cheers
Rob
06-19-2018 08:16 AM
Right. You would just have a policy similar to something like
set rulebase security rules "Allow FTPS" from untrust to dmz source any destination FTPS-Server application ssl service [ FTPS service-https ] action allow log-end yes
Note that in this example I have an address object 'FTPS-Server' that ties to the destination address of the FTPS server that you would be using, and I've created a service object 'FTPS' that maps to tcp-990. You likely wouldn't want to actually allow a source 'any' in this policy and you would likely want to assign some security profile or security group to this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!