Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 2029 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FTP Passive External XG115 SFOS 18.0.5 MR-5

Luiz Araújo

Hello,

I would like help to configure the operation of a government application, which works as FTP passive.

And for tests, I even applied the rule as follows:

source: 192.168.240.3
destination: 201.55.60.68

Services: Any
Source zones: Any
Destination zones: Any

SNAT MASQ applied.

However, access does not work completely.

Because according to the status of the application.

The request arrives at the server 201.55.60.68
because it reports status of connected to the FTP server.

However, the rest of the traffic and server response does not arrive at the origin as desired.

And looking at the logs on the firewall, I worry if it's a bug or something. Because connection response logs are shown before initial query logs. So the rule ID and NAT match the initial rule. But these logs do not show any interface and the following error: Invalid connection helper.

And only after the request log appears. With the initial meaning of the rule.

Ignoring the order of viewing the logs.

I imagine maybe because it's a FTP passive and the firewall is statefull.
After the request whose address is client to server. The server sends a request to the client. And the firewall, in turn, would be waiting for a response and not a request, for this connection.

So I'm in doubt if there is any way to make this FTP passive configuration.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    try to enable "Scan FTP for malware" in the Web Filtering section.

  • 0 in reply to Gordon Leisering 
    Hi,

Before I looked as if I had suggested disabling. Sorry, I got it wrong.

I enabled as suggested but access is not yet possible.
But logs with "invalid connection helper" are not displayed now.

And now I see the request allowed log.
However I see the log of the response or request from the server 201.55.60.68, as denied and the following message "Could not associate packet to any connection."

In this case I applied a DNAT for the traffic from the server. But without success.
  • +1 in reply to Luiz Araújo

    Try to disable the ftp bounce protection: 

    set advanced-firewall ftpbounce-prevention data

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi,

    Thanks.
    The command worked with the FTP scan web filter disabled.

    At this point, by the command I don't explicitly see that FTP bounce would be disabled. But apparently switching protection mode. (I just think, on account of not seeing off, disable, etc in the command)

    So I'm in doubt, which vulnerabilities would be exposed as a result of the change?

  • 0 in reply to Luiz Araújo

    Personally i would not open any FTP service to external. To many vulnerabilities open and there are enough valid sharing solutions (like onedrive, dropbox etc.). So why bother with offering a solution inhouse and exposing a service, which could potentially be exploited? 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to Luiz Araújo

    Personally i would not open any FTP service to external. To many vulnerabilities open and there are enough valid sharing solutions (like onedrive, dropbox etc.). So why bother with offering a solution inhouse and exposing a service, which could potentially be exploited? 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    It's because it's government application. In which it connects to the FTP server to check and update it. And at this point, generally the government doesn't care about the safest and most correct way to make applications.

    However, at this point I understood what you meant. In short, using FTP by itself is a risk.

    However, thank you very much for your help.

Unfiltered HTML