Palo Alto Networks Knowledgebase: How to Create an Application Override for FTP

How to Create an Application Override for FTP

6481
Created On 02/07/19 23:54 PM - Last Updated 02/07/19 23:54 PM
Policy
Resolution

Note: The following article outlines additional steps required in the event an app-override needs to be enabled for an active FTP connection. It is not required if app-override is not needed in the first place.

 

 

Overview

FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.

 

Details

Active FTP:

In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.

From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:

  • FTP server's port 21 from anywhere (Client initiates connection)
  • FTP server's port 21 to ports > 1023 (Server responds to client's control port)
  • FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port)
  • FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)

active.PNG.png

 

Passive FTP:

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:

  • FTP server's port 21 from anywhere (Client initiates connection)
  • FTP server's port 21 to ports > 1023 (Server responds to client's control port)
  • FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
  • FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)

passive.PNG.png

 

Steps

The Palo Alto Networks firewall supports application overrides and helps with applications that have special requirements.

To configure override for the FTP protocol the following could apply:

  1. Create a custom application that uses the FTP ports: 20,21 and the dynamic ports greater than 1024.
    application-custom.PNG.png
    application-custom1.PNG.png
    application-custom2.PNG.png
  2. Create an Application override Rule
    App override policy.PNG.png
    policy1.PNG.png
    policy2.PNG.png
    policy3.PNG.png
    policy4.PNG.png
  3. Make sure that there is a Security policy allowing the newly defined traffic  ( custom-ftp ) otherwise traffic for this application will be dropped.
    sec-policy.PNG.png


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFeCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language