cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Passive FTP

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
andyyps
Not applicable
‎03-24-2011 03:01 PM
‎03-24-2011 03:01 PM

Passive FTP

Hi,

Is there any trick to allow passive FTP inbound?

I have set a security rule to allow APPLICATION-FTP inbound, and a NAT rule to let Port 21 inbound. Works fine for ACTIVE, but PASSIVE fails at the LIST command.

Help would be appreciated.

Thanks.

Dean

Tags (3)
0 Likes
Reply

Accepted Solutions
Highlighted
bpappas
L6 Presenter
‎05-04-2011 11:54 AM
‎05-04-2011 11:54 AM

Reverting to the 243 content release will fix the issue.

The 244 content has been pulled and the content team is currently working on a fix.

-Benjamin

View solution in original post

0 Likes
Reply

All Replies
Highlighted
gsamuels
L3 Networker
‎03-24-2011 07:12 PM
‎03-24-2011 07:12 PM

Application FTP covers both activ and passive ftp, unless you have it set for application default on the policy there should be no reason for us to drop this traffic.

We may need to take a closer look at your policy.

Reply
Highlighted
KGC
L3 Networker
‎05-02-2011 08:45 PM
‎05-02-2011 08:45 PM

I am confused - so we should *not* set our FTP policy for application-default?

We are having the same issues - our outbound FTP (using the ftp application and application-default service) will only allow active mode FTP. Yet oddly, out inbound FTP rule using the same configuration is working for both PASV and active mode.

???

0 Likes
Reply
Highlighted
mjacobsen
L4 Transporter
‎05-02-2011 10:33 PM
‎05-02-2011 10:33 PM

It is possible you are running into an issue we recently uncovered with NAT when a client and server both support FTP extensions and use EPSV/EPRT instead of the normal PASV/PORT commands for active connections. This is being addressed and should be fixed in an upcoming content release. If either the client or the server do not advertise support for those extensions, everything will work fine through NAT.

Mike

Reply
Highlighted
KGC
L3 Networker
‎05-03-2011 09:46 AM
‎05-03-2011 09:46 AM

Thanks - so what would be the work-around in the meantime?

Specifically, we have users who use IE/Windows Explorer as their FTP client to transfer files to and from our internal server in the DMZ. They have always had the "Use Passive" options checked which worked until we moved to the PA firewalls. Now it does not work.

The same FTP server (using an identical security rule) performs fine externally using PASV mode.

The only difference, as you mentioned, is the NAT rule: from the trust zone it uses a dynamic ip-and-port source translation, and from untrust it uses destination translation on TCP 21.

Is there anything we can do on the firewall to work around this issue?

0 Likes
Reply
Highlighted
camkim_MDEA
Not applicable
‎05-04-2011 11:38 AM
‎05-04-2011 11:38 AM

If we roll back from the threat updates dated 5/3, is that a temporary workaround? Been on hold for 15 minutes, trying to talk somebody about this.

0 Likes
Reply
Highlighted
bpappas
L6 Presenter
‎05-04-2011 11:54 AM
‎05-04-2011 11:54 AM

Reverting to the 243 content release will fix the issue.

The 244 content has been pulled and the content team is currently working on a fix.

-Benjamin

View solution in original post

0 Likes
Reply
Highlighted
KGC
L3 Networker
‎05-04-2011 12:22 PM
‎05-04-2011 12:22 PM

Hmm, but we never ran on this version of content updates on our firewalls. Panorama did download and apply it locally, but the firewalls aren't set to auto-apply.

And I just saw the retraction accouncement posted here - is there any way to subscribe to these?

0 Likes
Reply
Highlighted
bpappas
L6 Presenter
‎05-04-2011 12:58 PM
‎05-04-2011 12:58 PM

@Ksemenov:

currently you have two options:

1. subscribe to the PA Networks Support Team Twitter feed: pantwks_support

2. keep an eye on the top page of our Knowledge Point site for important announcements

We are working on enhancing this further to improve customer visibility on important issues.

-Benjamin

0 Likes
Reply
Highlighted
joshsmtech
Not applicable
‎05-04-2011 02:00 PM
‎05-04-2011 02:00 PM

Yes, we are having the same issue with passive FTP. Traffic is getting blocked by the implicit deny rule I have in place, probably because NAT is messing with the connection. I was able to get around temporarily by permitting all port from our source IP to the specific remote IP. This was temporary from one of our critical transfer. I just reverted back to Content Update 243 and am waiting for our sysadmin to test again.

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2020 - Palo Alto Networks