Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1184
Views
0
Helpful
3
Replies

FTP through CWS

david.bryant1
Level 1
Level 1

‎04-18-2016 01:08 AM - edited ‎03-08-2019 05:39 PM

Hi,

I have a requirement for access to 3 FTP sites to download data from. The users currently have this automated through a an application called KAPOW which is an internet data scraping application. I would much prefer that raw FTP access through our firewall was removed and I found a solution to have the FTP go through 8080 and our cisco web security towers.

Has anyone configured something similar before?

I have spoken to Cisco and Cisco Web Security is unable to take the FTP and put it through 8080. I need to find some way of doing this.

Davie

Labels:
0 Helpful
3 Replies 3

Tao Yang
Cisco Employee
Cisco Employee

‎04-19-2016 09:33 PM

Cisco Web Security does support that way as long as your FTP client application supports using HTTP CONNECT method.

For example, in FileZilla you could configure WSA IP in Generic proxy and just need to ensure it is using HTTP/1.1 CONNECT method.

As FTP is using two channels, the only thing you need to be aware of is to ensure all ports will be allowed in HTTP CONNECT Ports settings within the corresponding WSA access policy>Protocols and User Agents configurations. Otherwise you will see the following.

1461125975.700 0 x.x.x.x TCP_DENIED/403 0 CONNECT tunnel://208.90.57.232:10556/ - NONE/- - BLOCK_ADMIN_CONNECT_12-test.AP-test.ID-NONE-NONE-NONE-NONE <C_Skyp,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - "FileZilla"

Here is an example:

UserAgent

Then you will be able to access any FTP site and here are the corresponding access logs.

1461126151.522 177330 x.x.x.x TCP_MISS/200 1049 CONNECT tunnel://ftp.ironport.com:21/ - DIRECT/ftp.ironport.com - ALLOW_WBRS_12-test.AP-test.ID-NONE-NONE-NONE-DefaultGroup <IW_csec,9.3,1,"-",-,-,-,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_csec,-,"-","-","Unknown","Unknown","-","-",0.05,0,-,"-","-",1,"-",-,-,"-","-"> - "FileZilla" - 208.90.57.232

1461126153.598 706 x.x.x.x TCP_MISS/200 27875 CONNECT tunnel://208.90.57.232:9378/ - DIRECT/208.90.57.232 - ALLOW_CUSTOMCAT_12-test.AP-test.ID-NONE-NONE-NONE-DefaultGroup <IW_csec,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",315.86,0,-,"-","-",-,"-",-,-,"-","-"> - "FileZilla" - 208.90.57.232

0 Helpful

david.bryant1
Level 1
Level 1
In response to Tao Yang

‎04-21-2016 07:13 AM

Thanks for taking the time to reply!

IF using HTTP connect does CWS just relay the traffic tot he FTP site and back to the source through CWS. Or does it scan the file on the way back to the client? I really want to have the FTP files scanned before they enter our network.

Thanks,

Davie

0 Helpful

Tao Yang
Cisco Employee
Cisco Employee
In response to david.bryant1

‎04-21-2016 06:26 PM

Hello Davie,

Firstly this solution is for WSA the on premise solution Additionally, as it is using HTTP CONNECT method, there is no way for WSA to see the exact file inside as it is encapsulated in the tunnel.

Hope it helps.

0 Helpful
Customers Also Viewed These Support Documents