Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

FTP Server behind Palo Alto pair and Azure External Load Balancer Not getting directory

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

FTP Server behind Palo Alto pair and Azure External Load Balancer Not getting directory

L2 Linker

I have a "HA" pair of firewalls in Azure sitting behind an external Load Balancer. I have a FTP server that I have to configure behind the firewalls.  I am able to connect locally to the FTP server and it works as expected, but when I point the FTP client to the Public IP address of the LB, I am able to connect, but not get the directory.  I am using passive FTPS. I see the connection in the traffic table, and it has NAT applied and Allowed by the correct Security Rule.  I am thinking it may be Azure causing the issue, but am unsure at this point.

 

Any suggestions would be greatly appreciated.

8 REPLIES 8

Cyber Elite
Cyber Elite

Hello,

Are the PAN's active/passive or active/active? If A/A, its proably asymetric routing back to the client. 

 

Just a thought.

L4 Transporter

What is your NAT configuration?  You should have both a Destination NAT of the FTP server and a Source NAT of the Trust side interface of the Firewall in the NAT policy.  That will ensure proper return path.

L2 Linker

Are you using FTP or FTPS? I see both mentioned in your post. Also, when you say you see the connection in the traffic table, do you see both the control and data channels or just the control?

 

One thing to look at is the distribution mode on the load balancer:

 

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode

 

If you are using 'None' as the distribution mode, the load balancer will use src IP, src port, dst IP, dst port, and protocol to determine the backend pool member to use. If the control channel lands on one FW and the data channel on the other, the data channel will be dropped. Changing to one of the other distribution algorithms ("src IP" or "src IP and protocol") should ensure that both land on the same FW.

I am using FTPS, but also tested with FTP.  I am using Src IP and Protocol for the transmission of the packets thorugh the load balancer.  I have other services working as expected on the PAs.  As far as traffic, I only see the control traffic in the monitor tab.

The firewalls are in an A/A setup, but Azure doesn't really do HA, so they don't syncronize the session information.

Hi! Did you ever resolved this issue? I am facing the same problem and have not been able to find a solution. I have to add that my FTP works if I force the client into Active mode. I can then see the DATA traffic using TCP 20. However it does not work when using Passive mode which is required for FTPS. Appreciate any assistance here. Thank you in advance!!  

L0 Member

Same, here, anyone solved this issue?

were you able to solve this?

 

  • 6486 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!