topic Re: FTP inspection on FTD? in Network Security

FTP inspection on FTD?

dejan_jov1 — Fri, 21 Feb 2020 16:52:21 GMT

Hi,

what is the correct way to configure the FTD 21XX so that the internal clients can use FTP on external ftp servers.

I know that on ASAs we had ftp inspection that worked but i have hard time to find out how to configure the Firepower.

I see that clients can connect to servers on dest port 21 but they are blocked as soon as the server tries to make new connection to clients on source port 21 and then on high numbered ports.

I tried to configure access rules with ports and with applications but with same results.

Output from FTD cli:

> show running-config | include ftp
ftp mode passive

...

inspect ftp

Thanks in advance

Re: FTP inspection on FTD?

socratesp1980 — Wed, 27 Feb 2019 08:58:27 GMT

Hello dejan_jov1

This may can be done using the flexconfig

Objects --> Object Management --> FlexConfig --> FlexConfig Object

Find the "Default_Inspection_protocol_disable edit it

and on the "variables place write the value ftp

Then on devices Flexconfig create a new policy on your ftd and add the Default_Inspection_protocol_disable

Save and apply

Hope that works

Re: FTP inspection on FTD?

dejan_jov1 — Wed, 27 Feb 2019 09:37:30 GMT

Hi,

Thanks for your reply!

Do I understand this correctly: I need to disable "inspect ftp" over Flexconfig so that my internal users can use active and passive ftp?

Re: FTP inspection on FTD?

socratesp1980 — Wed, 27 Feb 2019 09:42:42 GMT

Actually yes, This will remove the ftp protocol from your inspection policies. If you do a configuration preview Under flex config policy you will the correct configuration command that will be applied

Re: FTP inspection on FTD?

dejan_jov1 — Wed, 27 Feb 2019 10:16:07 GMT

I configured the "no inspect ftp" on FTD trough CLI I see that it is turned off in global_policy map, but unfortunatelly it is still not working. Maybe I haven't corectly explained it but this ist the problem that I have:

In event logs I see this Block action that is causing the problems:

In my Access policies I allowed that my internal Users can reach external FTP servers and here I even allowed that the exernal servers can reach my internal users with TCP source port 21.

Re: FTP inspection on FTD?

socratesp1980 — Wed, 27 Feb 2019 10:47:26 GMT

It looks your access lists are working fine. Though your ftp application I using other non-standard ports (63103,63102,63106 etc). I think it is something you need to sort it with your application. Maybe it needs a certain number of tcp ports to work and you should add them to an object.

Re: FTP inspection on FTD?

dejan_jov1 — Wed, 27 Feb 2019 11:57:08 GMT

I can't open all the ports that the ftp is using, it's simply to many of them. This is normal behavior of FTP that the server is trying to open a second channel to client but I don't want to open the whole range of ports for FTP to work...

Re: FTP inspection on FTD?

dejan_jov1 — Tue, 12 Mar 2019 14:39:28 GMT

Hi,

As a Workaround I configured an Prefilter Policy with Fastpath Action for TCP 21 port and it works this way.

But this is also only an temporary solution because this way we have no advanced features for this traffic.

Re: FTP inspection on FTD?

Shervin SoAb — Sun, 06 Dec 2020 11:25:05 GMT

@dejan_jov1 , @socratesp1980

I have exactly the same problem.

But I don´t want the traffic goes through FTD without inspection.

What is your idea in this regard.

Thanks in advance.

Re: FTP inspection on FTD?

Marvin Rhoads — Tue, 08 Dec 2020 08:34:26 GMT

Even if you fastpath through FTD using a prefilter rule, the flow should still hit any configured ALG (Application Layer Gateway = service policy-based inspection) that's configured in the LINA code.