Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

FTP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

FTP

L4 Transporter

How can I verify whether port 21 ftp traffic is being blocked by the PA 302?

17 REPLIES 17

Cyber Elite
Cyber Elite

In most common situations the traffic log should show you this but you may need to add a drop rule at the bottom of your rulebase to log blocked sessions if you don't already have this.

Are you looking for a specific sort of session being blocked?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I have a clean up rule and I am not seeing a drop. I see an insufficient data but it still says allow. Yes I am looking at a specific session of ftp to a defined IP address

if you're seeing insufficient data for the corresponding session, it might be that the server is not responding (might be related to it running an access list or is running on a non-default port).

Other possible issues could be that your session is not being NATed properly, the server does not have a proper route back to your device, the upstream router does not have a route back or there may be an arp issue.

insufficient data usually means the PaloAlto sees your syn packet go out, but no packet coming back to complete proper session setup

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L4 Transporter

When you say the server is not responding you mean the ftp server that the user is trying to connect too at the remote site. I put the IP address in a browser and the login information comes up for the ftp site so I assumed it was not being blocked. So its going out and the packet not coming back would that be caused by the ftp server or the PA?

Hi!

in the GUI under the monitor tab there's a packetcapture menu, this will allow you to set up pcaps on the firewall to see what is going on

as filters it might be good to start out broadly with the server ip as destination and a second filter with the server as source (the filters are session aware but setting an additional filter could help catch rogue packets)

then you can set the receive and transmit stage which will generate 2 separate pcaps

the difference between these is that the transmit stage will only show you packets leaving the firewall and the receive only contains packets arriving on the firewall

correlating these 2 could help pinpoint if a packet is dropped by the firewall or is not being received

to make sure the server is accepting regular FTP connection, do you happen to have an infirewalled external line?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

If you are using a browser, and the site has an HTTP server configured as a front-end for the FTP site, it will not yet be FTP. It will likely be web-browsing, and once the login is completed the firewall will see that it is actually FTP and will block it according to your rules.

If instead of a browser, you were to use a native FTP client like Filezilla, you should see the block after the site sends the native FTP "220" response after the TCP handshake.

Hope this helps,

Greg

The ftp site is at a vendor facility I have no access to it to see what is going on. We have contacted the vendor and they asked me to see if we have ftp pot 21 blocked I do not see anything that would tell be 100% if it is blocked. I don't know what you are asking "do you happen to have an infirewalled external line?"

The ftp site is at a vendor facility I have no access to it to see what is going on. trying filezilla is a good idea I will download that and give it try.

Hi

With an "unfirewalled external line" I meant to inquire if you have the option available to you to connect a client to a home DSL/cable line or if you can attach it just outside the firewall, this would allow you to easily verify if the ftp connection itself is functional before needing to go into firewall debugging

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Yes I have the ability to connect to one of our ISP's outside of the firewall.The only thing is the ftp connection I am trying to access is outside of our network so I assume you mean can I connect to it when I am oustide of our network

Not applicable

you can telnet to port 21 and see what replies you get from the FTP server and what point you lose connection. Based on the results you got, you'll be able to narrow the troubleshooting area

for example

telnet ftp.site.com 21

and issue commands

USER username

PASS password

PASV

RETR filename

QUIT

If you don't get any replies back, make sure yuo have policy that allows port 21 connection to the FTP server

if you are able to login but can't download the file, make sure you have policy for FTP application or allow high ports for FTP server

also verify that ftp client is set to use passive mode

So I should try to telnet to the ftp server at my vendors site and see what happens? I did try it through a web browser and got to the point where it asks for ou user name and password but my user did not know his credentials

I got this

**ATTENTION**

STATE AND FEDERAL STATUTES MAKE IT A CRIME TO GAIN
UNAUTHORIZED ACCESS INTO THIS COMPUTER SYSTEM.
VIOLATORS WILL BE PROSECUTED.

SYSTEM USE IS ONLY FOR AUTHORIZED BUSINESS PURPOSES.


login:

I don't think I have it blocked

running ftp from a browser will likely use an outbound port 80 rather than 21, so the results may be very different from using a browser to an ftp client.

If you are outside of your network, are you able to connect using an ftp client ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 5963 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!