FTP over non standard port failing

After some discussion with a Sophos XG Engineer, what we discovered is that it was the SSL/TLS Inspection rules that is causing the issue.  As the software is a poorly written old as the hills Federal government written program, it doesn't adhere to many standards for FTP and other things.  The workaround for now is to go to:  "Rules and Policies > SSL/TLS inspection Rules" and toggle off the SSL/TLS Inspection, run the program upload/download, and then turn it back on. 

Support will be helping me further to find a workaround rule that doesn't do the inspection to only that program, but for now that is the workaround.  Hope this helps others!

Did you ever get a resolution?  I am configuring an XG125 and have the same problem with edconnect

My Guess is that is the ftpbounce-prevention that are the issue here. Login to the CLI go to meny 4 and change the ftpbounce-prevention to Data instead of control. That have worked for me when having issues with FTP traffic. 

The command to change it.

set advanced-firewall ftpbounce-prevention data

to see the settings that are active use:

show advanced-firewall

And also please remember to allow the passive ports in the Firewall rule.

//Rickard

edconnect is literally the exact same product we are having the problem with.  For now we are just toggling off that "SSL/TLS inspection" switch and having them transmit/recieve.  Then we turn it back on.  I have an escalated ticket with Sophos engineering but they suspect a special fix will be needed to take care of this.  Version 18 MR3 made no difference but we figured we would upgrade to it anyway and test.

I'm not sure if I could add you to my escalated ticket that I have?  If you are interested I could try that to give more fuel to getting it done.  The engineer from Sophos (super knowledgeable person btw) mentioned it will probably be December before something that truly works is created.  Unfortunately it appears edconnect connects in a wildly insecure way (thanks feds).   

We apparently were changed over to "data" while Sophos engineering was taking a look at the issue.  I checked just now, but thank you for giving me this insight!

Ok, can't you create a rule that don't inspect the traffic from your solution and let it flow thru? That should work until they come up with a solution to the problem.

Ok, can't you create a rule that don't inspect the traffic from your solution and let it flow thru? That should work until they come up with a solution to the problem.

That is the odd thing, I created a rule to that specific server to "NOT DECRYPT" but for some reason it doesn't see the traffic and just does the inspection anyway on it.  I added a different webserver to the rule as a test and it sees that, but this one it doesn't see.  Support was also confused.

That is strange... I have one more guess that you could try. But Do not know if it going to work.  In the CLI go to option 4 and type 

set ips ac_atp exception fwrules X (were X is the firewall rule ID) and see if that helps. And try to use a TLS rule to "do not encrypt" and see if it works.

It will stop the firewall to send the traffic to the Snort engine and just lets it flow thru.

support.sophos.com/.../KB-000038900