Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 24 replies
  • Subscribers 7 subscribers
  • Views 38614 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using Explicit FTP over TLS

BigO

I have spent quite some time searching for a solution to this issue, but alas, I have not found one.
What I want to do seems like it should be a simple task, but I am having no success in getting it to work.

I am using Filezilla as a FTP client behind my Sophos UTM (v9.409-9 - home license) to connect to external FTP servers (for management of external websites).

When I try to use "Use explicit FTP over TLS if available" as my encryption option it authenticates to the FTP server but fails to do a directory listing.

Status:    Connection established, waiting for welcome message...
Status:    Initializing TLS...
Status:    Verifying certificate...
Status:    TLS connection established.
Status:    Logged in
Status:    Retrieving directory listing...
Command:    PWD
Response:    257 "/" is your current location
Command:    TYPE I
Response:    200 TYPE is now 8-bit binary
Command:    PASV
Response:    227 Entering Passive Mode (98,142,97,58,165,21)
Command:    MLSD
Error:    Connection timed out after 20 seconds of inactivity
Error:    Failed to retrieve directory listing

If I use "Only use plain FTP (insecure)" as my encryption option everything works fine, but that is not the way I would prefer to connect to the FTP servers.

I have viewed the firewall log while trying to connect using Explicit FTP over TLS, but I see absolutely no indication of this in the live log.
Surely I am not the only person that has this issue.

 

So... my question is a simple one.
How do I configure the UTM to allow me to use Explicit FTP over TLS to connect to an external FTP server when using Filezilla?

 



This thread was automatically locked due to age.
  • 0 in reply to rfcat_vk

    I added the IP address of the host FTP sever to Skip Transparent Mode Destination Hosts/Nets, but again, this made no difference.

    I cannot believe that something as basic as using a secure FTP connection is so painful to configure on the UTM. What a PITA!

  • 0 in reply to BigO

    Can you see the traffic in either of the firewall logs or the web filter log?

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Hi BigO,

    Check the packetfilter.log & http.log for the destination IP address of the FTP server. You should definitely get some lines to deny the traffic. Execute,

    tail -f packetfilter.log | grep x.x.x.x(dest IP)

    tail -f http.log | grep x.x.x.x(dest IP) 

    Any help with that?

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to rfcat_vk

    When I look at the firewall log all I see is the accepted packet on port 21
    There are no entries at all in the web filter log for the FTP server IP address.

    2016:12:30-09:07:19 firewall ulogd[4557]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="9" initf="eth0" outitf="ppp0" srcmac="a0:a8:cd:xx:xx:xx" dstmac="78:e3:b5:xx:xx:xx" srcip="172.16.xxx.xxx" dstip="98.142.xxx.xxx" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59406" dstport="21" tcpflags="SYN"

     

    Connecting to the FTP sever works just fine when I use the non secure connection option, but when I use any of the TLS connection options I cannot get a directory listing.

    As I said... I cannot believe that no one else has this issue, or a simple solution for how to make it work.

  • 0 in reply to BigO

    Hi BigO,

    Time for a pcap. Do a packetcapture and show us the logs. I want to see who sends the RESET.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks for the suggestion, but I am in no way a Linux command line person, which is what I believe is necessary to do a packet capture.

    I am guessing that I will just have to accept the fact that I will only be able to do insecure connections to the FTP servers, as I do not have the time or motivation to waste any more time trying to resolve this issue.

    As I have said before... surely it cannot just be me that wants to use a TLS connection to FTP servers and cannot do this from behind the UTM.

  • 0 in reply to BigO

    Long shot, but have you read the the KB article? https://community.sophos.com/kb/en-us/121021

    Regards,
    Bohdan

  • +1

    BigO, this is what you need:

    Works like a charm!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    This is really strange, as I am positive that I tried what you suggested in your solution previously and it made absolutely no difference.
    However... when I tried it again today it did as you say; it worked like a charm. [:D]

    Thanks Bob.

  • 0 in reply to BAlfson

    I have enabled FTP Proxy, Internal (network) is allowed, Operation Mode set to both, hosts allowed set to Any

    When i try to connect to ftp from Filezilla or ftp (commandline client) on Windows i get Connetion timed out.

    No traffic in the firewall logs and no traffic in FTP Proxy logs.

    After disabling FTP Proxy i can see traffic in the firewall logs

     

    I'm a doing something wrong? Why the Transparent mode doesn't work?

Unfiltered HTML