I am currently testing the ftp proxy feature on our newly deployed WSA.
The WSA is in explicit forward mode only and we do not want to use any user authentication on the WSA at all.
No matter what I chose for "Authentication Format" in the ftp proxy configuration (raptor or check point) I am completely unable to establish a ftp connection via the WSA.
E.g. when I try a simple file transfer from a Cisco device:
I always find in the WSA log
User anonymous@FTP-SERVER-ADDRESS login FAILED
It looks like the WSA always wants to authenticate the connection to the WSA itself first.
So please, how do one use this ftp proxy feature correctly without any authentication by the WSA?
You need to make sure you have the correct config on the FTP server as well on the WSA
Please go through the foll info:
If you are using FileZilla the exact FileZilla configuration will differ depending on the authentication configuring for FTP proxy on the WSA. The FTP Proxy config on the WSA can be found at 'Security Services' -> 'FTP Proxy Settings' -> 'Authentication Format'. From within FileZilla, go to 'Edit' -> 'Settings' -> 'FTP' -> 'FTP Proxy'. Click on 'Custom' to enable native ftp proxy. Use the following settings for different types of authentication: Native FTP FileZilla configuration for "Check Point" authentication USER %u@%s@%h PASS %p@%w <> Native FTP FileZilla configuration for "Raptor" authentication USER %u@%h %s PASS %p ACCT %w Native FTP FileZilla configuration without authentication and using Raptor authentication USER %u@%h <> %u PASS %p ACCT %p Native FTP FileZilla configuration without authentication USER %u@%h <> PASS %p >>>
So please make sure you have the correct config on the WSA as well as the FTP server.
For more information, you can go to
http://www.cisco.com/en/US/docs/security/wsa/wsa7.5/user_guide/WSA_7.5.0_UserGuide.pdf and check the section "Working with FTP Connections".
For further assistance on pre-production issues, you can open a case at http://www.cisco.com/web/partners/tools/pdihd.html
Cisco PDI Help Desk
I am sorry but your reply (thanks for that) is not really helpful here.
First I was not focussing on a special client like FileZilla.
I want to know how to get a native FTP transfer through the WSA as a FTP proxy.
My simplest example is a ftp transfer from a Cisco device which can just use
Here one would need to encode the actual destination host within the "user:pass" section since host would be the WSA in this case.
The same problem holds for simple ftp-calls from within arbitrary scripts.
Actually with a full featured client like FileZilla there is no big problem since one can easily use a SOCKS proxy for that.
So my original question is still open. Once I can get a ftp transfer from a Cisco command line through the WSA I can see this problem solved. So any hints are still appreciated.
I apologize I misunderstood the question earlier.
Anonymous login to WSA through FTP (or any other protocol) is not supported. If you do not have authentication on, you would have to use a local username/password created on the WSA.
I am sorry to say that but it simply does not work.
Let me explain the following exmple:
Local guest user on WSA: user FOO, pass FOOBAR, (i.e. prox_user=FOO, proxy_pass=FOOBAR)
ip address of the wsa: 10.0.0.1
ftp proxy port of wsa: 8021
public ftp server with anonymous login: 192.168.0.1, (i.e. ftp_user=anonymous, firstname.lastname@example.org, remote_host=192.168.0.1)
Now, WITHOUT the proxy you would download a file from the ftp server to a cisco device simply with
copy ftp://anonymous:email@example.com@192.168.0.1/filename flash:
(this works like a charm!)
With the WSA ftp proxy configured for check point authentication I assume that the corresponding file transfer must be done by
This looks complicated but
anonymous@FOO@192.168.0.1 = ftp_user@proxy_user@remote_host
firstname.lastname@example.org@FOOBAR = ftp_pass@proxy_pass
which is exactly what is needed for the check point authentication as described in the
WSA_7.5.0_UserGuide.pdf page 6-7.
So actually I would expect this to work, but the authentication at the WSA fails and its' ftpd-log simply states
User anonymous@FOO@192.168.0.1 login FAILED
So please, how do I use the ftp proxy correctly? Please keep in mind that there is no network authentication enabled on the wsa, we can set up only local users here.
(And by the way I have absolutely no idea how the ftp transfer would be done with the wsa configured for raptor authentication. Usually the simple ftp clients all use user:pass authentication. I have never seen an additional "account" field here.)