- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Passive FTP Issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Passive FTP Issue
Since moving to R80.20 we've had an issue with the "ftp" service. As a stop gap we used "ftp-protocol-signature" and match for any which is now causing issues as a great number of ports are now sporadically identified as such (80, 53, 443, etc). I am now trying to get back to the port based ftp service and having issues. To troubleshoot I have an "ftp" rule followed by an "ftp-protocol-signature" rule.
The initial ftp connection on port 21 matches on the "ftp" service rule, however, upon negotiation of the data port it falls through to the second "ftp-protocol-signature" rule around line 8:
No. | Time | Source | Destination | Protocol | Length | Info |
1 | 0 | 192.139.152.XXX | 216.8.153.YYY | TCP | 62 | 55479 > 21 [SYN] Seq=0 Win=32768 Len=0 MSS=1460 WS=1 |
2 | 0.034743 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 55479 > 21 [ACK] Seq=1 Ack=1 Win=32768 Len=0 |
3 | 0.050639 | 192.139.152.XXX | 216.8.153.YYY | FTP | 60 | Request: SYST |
4 | 0.066276 | 192.139.152.XXX | 216.8.153.YYY | FTP | 72 | Request: USER ********* |
5 | 0.08137 | 192.139.152.XXX | 216.8.153.YYY | FTP | 69 | Request: PASS ********** |
6 | 0.154162 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 55479 > 21 [ACK] Seq=40 Ack=235 Win=32768 Len=0 |
7 | 0.168541 | 192.139.152.XXX | 216.8.153.YYY | FTP | 60 | Request: PASV |
8 | 0.184125 | 192.139.152.XXX | 216.8.153.YYY | TCP | 62 | 55486 > 63690 [SYN] Seq=0 Win=32768 Len=0 MSS=1460 WS=1 |
9 | 0.198893 | 192.139.152.XXX | 216.8.153.YYY | FTP | 83 | Request: STOR FILEXXXXX |
10 | 0.214221 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 55486 > 63690 [ACK] Seq=1 Ack=1 Win=32768 Len=0 |
11 | 0.229467 | 192.139.152.XXX | 216.8.153.YYY | TCP | 1406 | 55486 > 63690 [ACK] Seq=1 Ack=1 Win=32768 Len=1352 |
12 | 0.229566 | 192.139.152.XXX | 216.8.153.YYY | TCP | 1406 | 55486 > 63690 [ACK] Seq=1353 Ack=1 Win=32768 Len=1352 |
13 | 0.22961 | 192.139.152.XXX | 216.8.153.YYY | TCP | 764 | 55486 > 63690 [PSH, ACK] Seq=2705 Ack=1 Win=32768 Len=710 |
14 | 0.229614 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 55486 > 63690 [FIN, ACK] Seq=3415 Ack=1 Win=32768 Len=0 |
15 | 0.245719 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 55486 > 63690 [ACK] Seq=3416 Ack=2 Win=32768 Len=0 |
16 | 0.245726 | 192.139.152.XXX | 216.8.153.YYY | FTP | 59 | Request: PWD |
17 | 0.260447 | 192.139.152.XXX | 216.8.153.YYY | FTP | 83 | Request: RNFR FILEXXXXX |
18 | 0.275011 | 192.139.152.XXX | 216.8.153.YYY | FTP | 86 | Request: RNTO FILEYYYYY |
19 | 0.30613 | 192.139.152.XXX | 216.8.153.YYY | FTP | 60 | Request: QUIT |
20 | 0.3216 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 55479 > 21 [FIN, ACK] Seq=147 Ack=449 Win=32768 Len=0 |
21 | 0.321714 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 55479 > 21 [ACK] Seq=148 Ack=450 Win=32768 Len=0 |
22 | 1.576145 | 192.139.152.XXX | 216.8.153.YYY | TCP | 66 | 21 > 63691 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 |
23 | 1.590468 | 192.139.152.XXX | 216.8.153.YYY | FTP | 81 | Response: 220 Microsoft FTP Service |
24 | 1.605046 | 192.139.152.XXX | 216.8.153.YYY | FTP | 77 | Response: 331 Password required |
25 | 1.620133 | 192.139.152.XXX | 216.8.153.YYY | FTP | 1088 | Response: 230-WARNING: |
26 | 1.62016 | 192.139.152.XXX | 216.8.153.YYY | FTP | 75 | Response: 230 User logged in. |
27 | 1.634786 | 192.139.152.XXX | 216.8.153.YYY | FTP | 74 | Response: 200 Type set to I. |
28 | 1.648881 | 192.139.152.XXX | 216.8.153.YYY | FTP | 70 | Response: 215 Windows_NT |
29 | 1.663016 | 192.139.152.XXX | 216.8.153.YYY | FTP | 88 | Response: 211-Extended features supported: |
30 | 1.663093 | 192.139.152.XXX | 216.8.153.YYY | FTP | 72 | Response: LANG EN* |
31 | 1.663115 | 192.139.152.XXX | 216.8.153.YYY | FTP | 107 | Response: AUTH TLS;TLS-C;SSL;TLS-P; |
32 | 1.663132 | 192.139.152.XXX | 216.8.153.YYY | FTP | 61 | Response: HOST |
33 | 1.663153 | 192.139.152.XXX | 216.8.153.YYY | FTP | 91 | Response: SIZE |
34 | 1.677245 | 192.139.152.XXX | 216.8.153.YYY | FTP | 112 | Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON. |
35 | 1.712574 | 192.139.152.XXX | 216.8.153.YYY | FTP | 83 | Response: 250 CWD command successful. |
36 | 1.729417 | 192.139.152.XXX | 216.8.153.YYY | FTP | 103 | Response: 550 The system cannot find the file specified. |
37 | 1.74992 | 192.139.152.XXX | 216.8.153.YYY | FTP | 107 | Response: 227 Entering Passive Mode (192,139,152,XXX,237,68). |
38 | 1.764894 | 192.139.152.XXX | 216.8.153.YYY | TCP | 66 | 60740 > 24973 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 |
39 | 1.788989 | 192.139.152.XXX | 216.8.153.YYY | FTP | 108 | Response: 125 Data connection already open; Transfer starting. |
40 | 1.803761 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 60740 > 24973 [ACK] Seq=1 Ack=2107 Win=131072 Len=0 |
41 | 1.807151 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 60740 > 24973 [ACK] Seq=1 Ack=2108 Win=131072 Len=0 |
42 | 1.8073 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 60740 > 24973 [FIN, ACK] Seq=1 Ack=2108 Win=131072 Len=0 |
43 | 1.807392 | 192.139.152.XXX | 216.8.153.YYY | FTP | 78 | Response: 226 Transfer complete. |
44 | 1.880154 | 192.139.152.XXX | 216.8.153.YYY | FTP | 68 | Response: 221 Good-Bye |
45 | 1.880182 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 21 > 63691 [FIN, ACK] Seq=1572 Ack=160 Win=130816 Len=0 |
46 | 1.895165 | 192.139.152.XXX | 216.8.153.YYY | TCP | 54 | 21 > 63691 [ACK] Seq=1573 Ack=161 Win=130816 Len=0 |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Response: 227 Entering Passive Mode (192,139,152,155,237,68).
What we advise with FTP servers is to use passive mode and to use a fixed range of max 500 ports, when less busy use a range of 100 ports.
Most of the FTP servers nowadays use TLS also, causing the communication to fail as the FW cannot see the PASV command
anymore. Therefore just allowing the FTP port and the range will still allow the traffic and still be reasonable secure.