Ok, I'm at my wit's end with TAC.. after 7 months of explaining the issues, collecting logs, and then starting over when a new agent takes the case, I'm hoping the community can help me. I've had inbound decryption set up for our FTP server for some time. We noticed an issue after updating to 10.0.8 (we're now on 10.1.5-h1 ) where people seemed to not be able to connect anymore. After investigating, it appears that in Filezilla they are actually able to connect but it looks like they aren't because a TLS error occurs and the LIST command fails. Right-clicking on the remote side and hitting Refresh several times will often eventually complete the directory listing. This is with FTPS set to "Require explicit FTP over TLS" and with the Transfer Method set to Default (which I think may be Passive). This issue appears to be intermittent and sometimes it seems to connect fine. Further investigation also showed the following: The TLS error mentioned above when the LIST command fails is "GnuTLS error -110: The TLS connection was non-properly terminated." followed by "Server did not properly shut down TLS connection" followed by "The data connection could not be established: ECONNABORTED - Connection Aborted" and then followed by "Failed to retrieve the directory listing". Decryption logs GUI shows "General TLS Protocol Error" when this happens. Error showing: "Server sent unsorted certificate chain in violation of the TLS specifications" at the start of each connection attempt Changing the Transfer Method to Active seems to make it more reliable as far as connecting without a TLS error and getting the directory listed automatically (it still complains about the certificate chain) Even with Active set, we then sometimes get a message indicating that the connection isn't secure because the server previously was detected as supporting TLS session resumption (I'm assuming this was either working before through the Palo and now it isn't or it's because when we've tested we've connected directly to the server which supports it) Trying another client, WinSCP also doesn't list the directory on Passive.. it works when changed to Active. I have no idea if it is getting any errors/warnings as I haven't noticed if there is a log view in that software. Turning off the decryption rule resolves all of the issues.. the FTP connection is also a lot less verbose (in another words, when decryption is turned on there is a lot more chatting with commands/responses between the client and the firewall/server) It looks like someone else has run into an issue like this before with Passive FTP and it was related to an issue with the content packs https://live.paloaltonetworks.com/t5/general-topics/passive-ftp/td-p/11573 Anyone else having any issues or have any experience in what I can do to resolve this? Thanks!
... View more