topic Thanks for taking the time to in Cloud Security

FTP through CWS

david.bryant1 — Sat, 09 Mar 2019 01:39:20 GMT

Hi,

I have a requirement for access to 3 FTP sites to download data from. The users currently have this automated through a an application called KAPOW which is an internet data scraping application. I would much prefer that raw FTP access through our firewall was removed and I found a solution to have the FTP go through 8080 and our cisco web security towers.

Has anyone configured something similar before?

I have spoken to Cisco and Cisco Web Security is unable to take the FTP and put it through 8080. I need to find some way of doing this.

Davie

Cisco Web Security does

Tao Yang — Wed, 20 Apr 2016 04:33:39 GMT

Cisco Web Security does support that way as long as your FTP client application supports using HTTP CONNECT method.

For example, in FileZilla you could configure WSA IP in Generic proxy and just need to ensure it is using HTTP/1.1 CONNECT method.

As FTP is using two channels, the only thing you need to be aware of is to ensure all ports will be allowed in HTTP CONNECT Ports settings within the corresponding WSA access policy>Protocols and User Agents configurations. Otherwise you will see the following.

1461125975.700 0 x.x.x.x TCP_DENIED/403 0 CONNECT tunnel://208.90.57.232:10556/ - NONE/- - BLOCK_ADMIN_CONNECT_12-test.AP-test.ID-NONE-NONE-NONE-NONE <C_Skyp,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - "FileZilla"

Here is an example:

Then you will be able to access any FTP site and here are the corresponding access logs.

1461126151.522 177330 x.x.x.x TCP_MISS/200 1049 CONNECT tunnel://ftp.ironport.com:21/ - DIRECT/ftp.ironport.com - ALLOW_WBRS_12-test.AP-test.ID-NONE-NONE-NONE-DefaultGroup <IW_csec,9.3,1,"-",-,-,-,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_csec,-,"-","-","Unknown","Unknown","-","-",0.05,0,-,"-","-",1,"-",-,-,"-","-"> - "FileZilla" - 208.90.57.232

1461126153.598 706 x.x.x.x TCP_MISS/200 27875 CONNECT tunnel://208.90.57.232:9378/ - DIRECT/208.90.57.232 - ALLOW_CUSTOMCAT_12-test.AP-test.ID-NONE-NONE-NONE-DefaultGroup <IW_csec,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",315.86,0,-,"-","-",-,"-",-,-,"-","-"> - "FileZilla" - 208.90.57.232

Thanks for taking the time to

david.bryant1 — Thu, 21 Apr 2016 14:13:55 GMT

Thanks for taking the time to reply!

IF using HTTP connect does CWS just relay the traffic tot he FTP site and back to the source through CWS. Or does it scan the file on the way back to the client? I really want to have the FTP files scanned before they enter our network.

Thanks,

Davie

Hello Davie,

Tao Yang — Fri, 22 Apr 2016 01:26:30 GMT

Hello Davie,

Firstly this solution is for WSA the on premise solution Additionally, as it is using HTTP CONNECT method, there is no way for WSA to see the exact file inside as it is encapsulated in the tunnel.

Hope it helps.