Passive FTP inspection

Ole_Soerensen
Here to help

Passive FTP inspection

I had issues with passive FTP from clients outside to a server on the inside... I assumed a NG Firewall like the MX64/65 would do inspection on the Passive FTP to detect and allow the data ports supported (and announced) from the FTP server dynamically. But to my surprise i found info in the online documentation (https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Active_and_Passive_FTP_Overview_and_Co...), stating that I needed to open TCP port 1024-65535 towards the server, for passive FTP to work!!

 

Is this really "as is", or are there any fixes that can be applied or in development / pipeline?

 

 

I did check the server manually, and found out it only needed around 32 specific high ports, so that was what i ended up configuring, and of course it works... but i was surprised to see Meraki stating, that "you should just open all high ports from outside to the specific server"... that is not a really clever thing to advise... especially if you don´t know what other services is running on a server!

 

Best regards

Ole

3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal

I'm always a little surprised to find people still using the old insecure FTP mechanism.  Especially when you have such excellent free server products like FileZilla that support both FTPS and SFTP.  I would encourage you to change over to one of these more "current" technologies.

 

And if you really really want to continue using passive FTP, then I would still recommend FileZilla.  You can configure it to allow a range of ports, like 50000 to 50010, and then you only need to NAT this small range through.

 

 

But really, in this day and age, it is time to say goodbye to these insecure legacy protocols.

Adam
Kind of a big deal

+1 on what @PhilipDAth said. But candidly, I try to avoid running anything like web or ftp servers internally.  Far less expensive and less risk for us to just get something externally hosted.  Then I don't have to poke any holes in my network.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Ole_Soerensen
Here to help

Well, I think everybody would agree, that changing the legacy protocol in use, would be "the best thing to do", but it´s not up to me to decide the protocols used and serviced offered by other companys (im a Senior Consultant at a large cisco partner company)... I can advise them, but when the push come to show, its up to the specific customer to choose..

 

 

This specific customer is migrating from older, over the counter CPE hardware, that handled the passive ftp inspection... so I was just curious, as to why this protocol inspection was dropped on a next-gen firewall... to my knowledge passive ftp is still used on a very large scale... legacy protocol or not!

 

Regards Ole

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels