Meraki

Vaishkhan · ‎Sep 7 2021

Hi Everyone,

can anyone confirm me that in client machine internet explorer>Internet options>advanced to disable\uncheck "use Passive FTP" is secure or not. because when I am disabling\unchek use Passive FTP i can access the ftp but when i check\enable it ftp is not access.

Thanks.

Thanks & Regards

GIdenJoe · ‎Sep 7 2021

FTP is inherently insecure since it has no encryption.

If you are able you should use sFTP.

In regards to your problem:
Does the problem go away if you allow all outbound traffic?

It's possible that the MX is not recording the FTP PORT command from the server and not letting outbound connection to FTP server.

More info here:

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Active_and_Passive_FTP_Overview_and_Conf...

KarstenI · ‎Sep 7 2021

Adding to @GIdenJoe :

Yes the MX doesn't have any FTP inspection. If there is an FTP server on the inside with passive FTP, the Data-ports should be configured statically on the FTP server and forwarded on the MX.

GIdenJoe · ‎Sep 8 2021

I'm not entirely sure about that last thing @KarstenI .

If the MX didn't do any inspecting of FTP then active FTP on clients would not work, but they do.

I'm not sure however that passive mode works (client wise).

For a server behind your MX is definitely does not work because you need to port forward as mentioned in the article.

KarstenI · ‎Sep 8 2021

@GIdenJoe wrote:
I'm not entirely sure about that last thing @KarstenI .

If the MX didn't do any inspecting of FTP then active FTP on clients would not work, but they do.

I haven't tested it for quite some while with "Active", but based on the note "Note: Outbound active FTP is supported in MX Firmware version 12.25+ and 13.6+" there really could be some limited FTP-inspection. But not really as powerful as on other firewalls, which is the reason we have to do the mentioned configuration for passive FTP which is not needed for example on the ASA.