Passive FTP

Vaishkhan
Comes here often

Passive FTP

Hi Everyone,

can anyone confirm me that in client machine internet explorer>Internet options>advanced to disable\uncheck "use Passive FTP" is secure or not.  because when I am disabling\unchek use Passive FTP i can access the ftp but when i check\enable it ftp is not access.

 

Thanks.

 

Thanks & Regards
4 REPLIES 4
GIdenJoe
Kind of a big deal

FTP is inherently insecure since it has no encryption.

If you are able you should use sFTP.

 

In regards to your problem:
Does the problem go away if you allow all outbound traffic?

 

It's possible that the MX is not recording the FTP PORT command from the server and not letting outbound connection to FTP server.

 

More info here:

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Active_and_Passive_FTP_Overview_and_Conf...

KarstenI
Kind of a big deal

Adding to @GIdenJoe :

Yes the MX doesn't have any FTP inspection. If there is an FTP server on the inside with passive FTP, the Data-ports should be configured statically on the FTP server and forwarded on the MX.

GIdenJoe
Kind of a big deal

I'm not entirely sure about that last thing @KarstenI .

 

If the MX didn't do any inspecting of FTP then active FTP on clients would not work, but they do.

I'm not sure however that passive mode works (client wise).

 

For a server behind your MX is definitely does not work because you need to port forward as mentioned in the article.

KarstenI
Kind of a big deal


@GIdenJoe wrote:

I'm not entirely sure about that last thing @KarstenI .

 

If the MX didn't do any inspecting of FTP then active FTP on clients would not work, but they do.

I haven't tested it for quite some while with "Active", but based on the note "Note: Outbound active FTP is supported in MX Firmware version 12.25+ and 13.6+" there really could be some limited FTP-inspection. But not really as powerful as on other firewalls, which is the reason we have to do the mentioned configuration for passive FTP which is not needed for example on the ASA.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.