cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8798
Views
5
Helpful
9
Replies

FTP inspection on FTD?

dejan_jov1
Level 1
Level 1

Hi,

 

what is the correct way to configure the FTD 21XX so that the internal clients can use FTP on external ftp servers.

I know that on ASAs we had ftp inspection that worked but i have hard time to find out how to configure the Firepower.

I see that clients can connect to servers on dest port 21 but they are blocked as soon as the server tries to make new connection to clients on source port 21 and then on high numbered ports.

I tried to configure access rules with ports and with applications but with same results.

 

Output from FTD cli:

> show running-config | include ftp
ftp mode passive

...

inspect ftp

 

Thanks in advance

9 Replies 9

socratesp1980
Level 1
Level 1

Hello dejan_jov1

 

This may can be done using the flexconfig

Objects --> Object Management --> FlexConfig --> FlexConfig Object

Find the "Default_Inspection_protocol_disable edit it 

and on the "variables place write the value ftp

 

Then on devices Flexconfig create a new policy on your ftd and add the Default_Inspection_protocol_disable

Save and apply 

Hope that works

Hi,

 

Thanks for your reply!

Do I understand this correctly: I need to disable "inspect ftp" over Flexconfig so that my internal users can use active and passive ftp?

Actually yes, This will remove the ftp protocol from your inspection policies. If you do a configuration preview Under flex config policy you will the correct configuration command that will be applied

I configured the "no inspect ftp" on FTD trough CLI I see that it is turned off in global_policy map, but unfortunatelly it is still not working. Maybe I haven't corectly explained it but this ist the problem that I have:

In event logs I see this Block action that is causing the problems:


Event log.jpg

 

In my Access policies I allowed that my internal Users can reach external FTP servers and here I even allowed that the exernal servers can reach my internal users with TCP source port 21. 

It looks your access lists are working fine. Though your ftp application I using other non-standard ports (63103,63102,63106 etc). I think it is something you need to sort it with your application. Maybe it needs a certain number of tcp ports to work and you should add them to an object.


I can't open all the ports that the ftp is using, it's simply to many of them. This is normal behavior of FTP that the server is trying to open a second channel to client but I don't want to open the whole range of ports for FTP to work...

dejan_jov1
Level 1
Level 1

Hi,

 

As a Workaround I configured an Prefilter Policy with Fastpath Action for TCP 21 port and it works this way.

But this is also only an temporary solution because this way we have no advanced features for this traffic.

Shervin SoAb
Level 1
Level 1

@dejan_jov1  , @socratesp1980 

 

I have exactly the same problem.

But I don´t want the traffic goes through FTD without inspection.

What is your idea in this regard.

 

Thanks in advance.

Marvin Rhoads
Hall of Fame
Hall of Fame

Even if you fastpath through FTD using a prefilter rule, the flow should still hit any configured ALG (Application Layer Gateway = service policy-based inspection) that's configured in the LINA code.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: