FTPS ALG 2.0 for support for encryption

Options
PeterUK
PeterUK Posts: 4,211 image  Guru Member
250 Answers 2500 Comments Friend Collector Eighth Anniversary
in Security Ideas

So here is the deal the reason ALG for FTP works is because it can read into the packets and with FTPS the USG can't read the packets in order to allow FTPS it has a known port maybe 21 or 990 normally then in Active Mode the server connects to you incoming and Passive random ports outgoing.

So here is how you support FTPS
If your outgoing to port 21 say to IP 173.248.150.164 which you allow by firewall rule then FTPS ALG 2.0 then auto makes two firewall rules till session ends

So if your from LAN1 to WAN one rule would be
from LAN1
to WAN
destination IP 173.248.150.164
Service any TCP

The other rule which can be disabled if you only want to use Passive would auto make a NAT rule till session ends
incoming WAN
source IP 173.248.150.164
external WAN IP
internal IP that made the outgoing FTP
service any-TCP

Firewall rule till session ends
from WAN
to LAN1
source IP 173.248.150.164
Service any TCP

1
Up Down
1 votes

Active · Last Updated

Comments

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,096 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @PeterUK

    I'm trying to understand the specific use case for this 'FTPS ALG 2.0' concept.

    It seems designed to support Active Mode FTPS, where the server has to initiate an inbound data connection to the client.

    Could you describe on the scenario where this is necessary? Most firewalled environments rely on Passive Mode FTPS (where the client initiates both connections) specifically because it avoids this exact inbound rule-making problem and works with standard stateful tracking.

    Zyxel Melen


  • PeterUK
    PeterUK Posts: 4,211 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited November 10

    Thanks for your reply Melen

    If you was to try FTP with the way ALG works you only have to allow port 21 from LAN to WAN and then do a block all rule and go to say 173.248.150.164 in Active or Passive everything works! no need to allow any other ports the ALG does it all.

    The problem then is how do you do the same for encryption because going to 173.248.150.164 has the problem of you don't know in Passive mode the outgoing ports it will need such that if you only allow from LAN to WAN TCP ports 21, 80, 443 then you can't get FTPS to work and everyone running a FTPS could have a different port ranges to another site so you end up opening more outgoing ports unless you firewall every destination IP same deal with Active on incoming.

    So in short the idea I said above will not need to look into the packets the FTP Signaling Port is all you need to auto allow FTPS based on destination IP.

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,096 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @PeterUK

    Thanks for the details. I will let our product team know this idea, and we will monitor the comments and votes of this post to evaluate it.

    Zyxel Melen


Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)