cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1094
Views
0
Helpful
7
Replies
Beginner

FTP inspection on FTD?

Hi,

 

what is the correct way to configure the FTD 21XX so that the internal clients can use FTP on external ftp servers.

I know that on ASAs we had ftp inspection that worked but i have hard time to find out how to configure the Firepower.

I see that clients can connect to servers on dest port 21 but they are blocked as soon as the server tries to make new connection to clients on source port 21 and then on high numbered ports.

I tried to configure access rules with ports and with applications but with same results.

 

Output from FTD cli:

> show running-config | include ftp
ftp mode passive

...

inspect ftp

 

Thanks in advance

7 REPLIES 7
Highlighted
Beginner

Re: FTP inspection on FTD?

Hello dejan_jov1

 

This may can be done using the flexconfig

Objects --> Object Management --> FlexConfig --> FlexConfig Object

Find the "Default_Inspection_protocol_disable edit it 

and on the "variables place write the value ftp

 

Then on devices Flexconfig create a new policy on your ftd and add the Default_Inspection_protocol_disable

Save and apply 

Hope that works

Beginner

Re: FTP inspection on FTD?

Hi,

 

Thanks for your reply!

Do I understand this correctly: I need to disable "inspect ftp" over Flexconfig so that my internal users can use active and passive ftp?

Beginner

Re: FTP inspection on FTD?

Actually yes, This will remove the ftp protocol from your inspection policies. If you do a configuration preview Under flex config policy you will the correct configuration command that will be applied
Beginner

Re: FTP inspection on FTD?

I configured the "no inspect ftp" on FTD trough CLI I see that it is turned off in global_policy map, but unfortunatelly it is still not working. Maybe I haven't corectly explained it but this ist the problem that I have:

In event logs I see this Block action that is causing the problems:


Event log.jpg

 

In my Access policies I allowed that my internal Users can reach external FTP servers and here I even allowed that the exernal servers can reach my internal users with TCP source port 21. 

Beginner

Re: FTP inspection on FTD?

It looks your access lists are working fine. Though your ftp application I using other non-standard ports (63103,63102,63106 etc). I think it is something you need to sort it with your application. Maybe it needs a certain number of tcp ports to work and you should add them to an object.


Beginner

Re: FTP inspection on FTD?

I can't open all the ports that the ftp is using, it's simply to many of them. This is normal behavior of FTP that the server is trying to open a second channel to client but I don't want to open the whole range of ports for FTP to work...

Beginner

Re: FTP inspection on FTD?

Hi,

 

As a Workaround I configured an Prefilter Policy with Fastpath Action for TCP 21 port and it works this way.

But this is also only an temporary solution because this way we have no advanced features for this traffic.