FWSM 3.2(5): how to define ftps service?

pweichmann · ‎01-10-2011

Hi,

How do you define ftps service? tcp/989, tcp/990 and tcp/20, plus service policy inspection ftp?

Any help would be appreciated.

Kureli Sankar · ‎01-10-2011

Under the policy-map you would enable inspect ftp. This will inspect tcp 21 and depending on active or passive ftp will automatically open pin holes for

data channel.

policy-map global_policy

class inspection_default

inspect ftp

inspect icmp

.

inspect tftp

service-policy global_policy global

Sorry didn't realize you are asking for secure ftp. That cannot be inspected.

-KS

pweichmann · ‎01-10-2011

Dear Sankar,

By the way I mean ftps and not sftp. But you mean that ftps connections cannot be dynamically mapped? What is the most secure approach to ftps which can go over 990/989 and some dynamic ports.

Kureli Sankar · ‎01-10-2011

That is correct. The FTP inspection engine does not understand the SSL/TLS negotiation.

I am not sure making FTPS work is as simple as permitting ports 989/990. You probably 
would also have to open dynamic ports as well - may be a range 50000-50004 or something that is required.

-KS

pweichmann · ‎01-10-2011

But Cisco should have a best practice configuration guide on how to do that,no?

From checkpoint you get something like:

· ftp-ssl-control: port 990

· ftp-ssl-data: port number ">1024" (greater than 1024), source port 989

I was expecting that Cisco has this as well. Does Cisco not maintain a best practices configuration for all kinds of protocols, if not you should at one!

Kureli Sankar · ‎01-10-2011

I am really not sure. Let me see if I can find out for you.

-KS