Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Passive FTP Issue

Since moving to R80.20 we've had an issue with the "ftp" service.  As a stop gap we used "ftp-protocol-signature" and match for any which is now causing issues as a great number of ports are now sporadically identified as such (80, 53, 443, etc).  I am now trying to get back to the port based ftp service and having issues.  To troubleshoot I have an "ftp" rule followed by an "ftp-protocol-signature" rule.

The initial ftp connection on port 21 matches on the "ftp" service rule, however, upon negotiation of the data port it falls through to the second "ftp-protocol-signature" rule around line 8:

 

 

No.

Time

Source

Destination

Protocol

Length

Info

1

0

192.139.152.XXX

216.8.153.YYY

TCP

62

55479  >  21 [SYN] Seq=0 Win=32768 Len=0 MSS=1460 WS=1

2

0.034743

192.139.152.XXX

216.8.153.YYY

TCP

54

55479  >  21 [ACK] Seq=1 Ack=1 Win=32768 Len=0

3

0.050639

192.139.152.XXX

216.8.153.YYY

FTP

60

Request: SYST

4

0.066276

192.139.152.XXX

216.8.153.YYY

FTP

72

Request: USER *********

5

0.08137

192.139.152.XXX

216.8.153.YYY

FTP

69

Request: PASS **********

6

0.154162

192.139.152.XXX

216.8.153.YYY

TCP

54

55479  >  21 [ACK] Seq=40 Ack=235 Win=32768 Len=0

7

0.168541

192.139.152.XXX

216.8.153.YYY

FTP

60

Request: PASV

8

0.184125

192.139.152.XXX

216.8.153.YYY

TCP

62

55486  >  63690 [SYN] Seq=0 Win=32768 Len=0 MSS=1460 WS=1

9

0.198893

192.139.152.XXX

216.8.153.YYY

FTP

83

Request: STOR FILEXXXXX

10

0.214221

192.139.152.XXX

216.8.153.YYY

TCP

54

55486  >  63690 [ACK] Seq=1 Ack=1 Win=32768 Len=0

11

0.229467

192.139.152.XXX

216.8.153.YYY

TCP

1406

55486  >  63690 [ACK] Seq=1 Ack=1 Win=32768 Len=1352

12

0.229566

192.139.152.XXX

216.8.153.YYY

TCP

1406

55486  >  63690 [ACK] Seq=1353 Ack=1 Win=32768 Len=1352

13

0.22961

192.139.152.XXX

216.8.153.YYY

TCP

764

55486  >  63690 [PSH, ACK] Seq=2705 Ack=1 Win=32768 Len=710

14

0.229614

192.139.152.XXX

216.8.153.YYY

TCP

54

55486  >  63690 [FIN, ACK] Seq=3415 Ack=1 Win=32768 Len=0

15

0.245719

192.139.152.XXX

216.8.153.YYY

TCP

54

55486  >  63690 [ACK] Seq=3416 Ack=2 Win=32768 Len=0

16

0.245726

192.139.152.XXX

216.8.153.YYY

FTP

59

Request: PWD

17

0.260447

192.139.152.XXX

216.8.153.YYY

FTP

83

Request: RNFR FILEXXXXX

18

0.275011

192.139.152.XXX

216.8.153.YYY

FTP

86

Request: RNTO FILEYYYYY

19

0.30613

192.139.152.XXX

216.8.153.YYY

FTP

60

Request: QUIT

20

0.3216

192.139.152.XXX

216.8.153.YYY

TCP

54

55479  >  21 [FIN, ACK] Seq=147 Ack=449 Win=32768 Len=0

21

0.321714

192.139.152.XXX

216.8.153.YYY

TCP

54

55479  >  21 [ACK] Seq=148 Ack=450 Win=32768 Len=0

22

1.576145

192.139.152.XXX

216.8.153.YYY

TCP

66

21  >  63691 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

23

1.590468

192.139.152.XXX

216.8.153.YYY

FTP

81

Response: 220 Microsoft FTP Service

24

1.605046

192.139.152.XXX

216.8.153.YYY

FTP

77

Response: 331 Password required

25

1.620133

192.139.152.XXX

216.8.153.YYY

FTP

1088

Response: 230-WARNING:

26

1.62016

192.139.152.XXX

216.8.153.YYY

FTP

75

Response: 230 User logged in.

27

1.634786

192.139.152.XXX

216.8.153.YYY

FTP

74

Response: 200 Type set to I.

28

1.648881

192.139.152.XXX

216.8.153.YYY

FTP

70

Response: 215 Windows_NT

29

1.663016

192.139.152.XXX

216.8.153.YYY

FTP

88

Response: 211-Extended features supported:

30

1.663093

192.139.152.XXX

216.8.153.YYY

FTP

72

Response:  LANG EN*

31

1.663115

192.139.152.XXX

216.8.153.YYY

FTP

107

Response:  AUTH TLS;TLS-C;SSL;TLS-P;

32

1.663132

192.139.152.XXX

216.8.153.YYY

FTP

61

Response:  HOST

33

1.663153

192.139.152.XXX

216.8.153.YYY

FTP

91

Response:  SIZE

34

1.677245

192.139.152.XXX

216.8.153.YYY

FTP

112

Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.

35

1.712574

192.139.152.XXX

216.8.153.YYY

FTP

83

Response: 250 CWD command successful.

36

1.729417

192.139.152.XXX

216.8.153.YYY

FTP

103

Response: 550 The system cannot find the file specified. 

37

1.74992

192.139.152.XXX

216.8.153.YYY

FTP

107

Response: 227 Entering Passive Mode (192,139,152,XXX,237,68).

38

1.764894

192.139.152.XXX

216.8.153.YYY

TCP

66

60740  >  24973 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

39

1.788989

192.139.152.XXX

216.8.153.YYY

FTP

108

Response: 125 Data connection already open; Transfer starting.

40

1.803761

192.139.152.XXX

216.8.153.YYY

TCP

54

60740  >  24973 [ACK] Seq=1 Ack=2107 Win=131072 Len=0

41

1.807151

192.139.152.XXX

216.8.153.YYY

TCP

54

60740  >  24973 [ACK] Seq=1 Ack=2108 Win=131072 Len=0

42

1.8073

192.139.152.XXX

216.8.153.YYY

TCP

54

60740  >  24973 [FIN, ACK] Seq=1 Ack=2108 Win=131072 Len=0

43

1.807392

192.139.152.XXX

216.8.153.YYY

FTP

78

Response: 226 Transfer complete.

44

1.880154

192.139.152.XXX

216.8.153.YYY

FTP

68

Response: 221 Good-Bye

45

1.880182

192.139.152.XXX

216.8.153.YYY

TCP

54

21  >  63691 [FIN, ACK] Seq=1572 Ack=160 Win=130816 Len=0

46

1.895165

192.139.152.XXX

216.8.153.YYY

TCP

54

21  >  63691 [ACK] Seq=1573 Ack=161 Win=130816 Len=0

 

 

 

0 Kudos
1 Reply
Highlighted

The main thing here is you are showing 2 different session in 2 different directions and from both sessions you only show half the communication, specially missing in the first part is the line similar to this one:
Response: 227 Entering Passive Mode (192,139,152,155,237,68).
What we advise with FTP servers is to use passive mode and to use a fixed range of max 500 ports, when less busy use a range of 100 ports.
Most of the FTP servers nowadays use TLS also, causing the communication to fail as the FW cannot see the PASV command
anymore. Therefore just allowing the FTP port and the range will still allow the traffic and still be reasonable secure.
Regards, Maarten
0 Kudos