what is the correct way to configure the FTD 21XX so that the internal clients can use FTP on external ftp servers.
I know that on ASAs we had ftp inspection that worked but i have hard time to find out how to configure the Firepower.
I see that clients can connect to servers on dest port 21 but they are blocked as soon as the server tries to make new connection to clients on source port 21 and then on high numbered ports.
I tried to configure access rules with ports and with applications but with same results.
Output from FTD cli:
> show running-config | include ftp
ftp mode passive
Thanks in advance
This may can be done using the flexconfig
Objects --> Object Management --> FlexConfig --> FlexConfig Object
Find the "Default_Inspection_protocol_disable edit it
and on the "variables place write the value ftp
Then on devices Flexconfig create a new policy on your ftd and add the Default_Inspection_protocol_disable
Save and apply
Hope that works
Thanks for your reply!
Do I understand this correctly: I need to disable "inspect ftp" over Flexconfig so that my internal users can use active and passive ftp?
I configured the "no inspect ftp" on FTD trough CLI I see that it is turned off in global_policy map, but unfortunatelly it is still not working. Maybe I haven't corectly explained it but this ist the problem that I have:
In event logs I see this Block action that is causing the problems:
In my Access policies I allowed that my internal Users can reach external FTP servers and here I even allowed that the exernal servers can reach my internal users with TCP source port 21.
I can't open all the ports that the ftp is using, it's simply to many of them. This is normal behavior of FTP that the server is trying to open a second channel to client but I don't want to open the whole range of ports for FTP to work...
As a Workaround I configured an Prefilter Policy with Fastpath Action for TCP 21 port and it works this way.
But this is also only an temporary solution because this way we have no advanced features for this traffic.