hi,

Maybe I didn't explain myself. I need to create an outbond rule that allows some internal ip to connect to some ftp servers but not use any other outgoing protocol.

example

the problem that opening only the ftp port 21 does not work.

Regards

Are you connecting to active or passive FTP servers? If you're not sure, you need both 20 and 21.

Just to check, you're using regular FTP and not SFTP? Because if SFTP, you'll need 22 as well.

If you are connecting to a passive mode FTP server:

• The client connects out on port 21.
• The client sends a PASV command and the server responds with a port on its side.
• The client connects out on the returned port from a random port.

If you are connecting to an active mode server:

• The client connects out on port 21.
• The client sends a "port" command to say it is listening on a specific port for data.
• The server then connects back to the client from its port 20 to the port the client specified

The MX NAT will correctly fix up NAT for active mode connections to allow the return traffic.  Passive mode does not require any fixups.

The MX wont correct any outbound firewall rules you have created to explicitly block traffic.

If you create a default "deny all" rule limiting outbound traffic then you'll probably want to create a simple "permit ip any host x.x.x.x" style rule to the specific FTP server the users need to connect to.

Hi, thank for answer.

First consideration puzzles me that a 15-year-old device has features (ftp fixup, object group) that do not exist on a current product.
For the problem in question if instead of deny any any I put a deny of the different subnets to any fixup is applied?

Best regards

Not to hijack a thread, but every other security appliance I have ever administered, will open the ports received in the PASV command coming from the FTP/SFTP server.  Most also have an implicit deny at the end of all access lists.  Meraki has an implicit allow, therefore requiring a deny any any rule to be created.  Otherwise the MX devices are nothing more than a router.  How do we go about requesting that this be added as a feature.  I feel confident if we as a company knew this was the way these appliances behaved from a security perspective, we would have chosen a different vendor.    

SFTP is all tunneled over SSH, which removes the need for such NAT hacks. Past experience has dictated that any sort of NAT considerations for FTP aren't likely to be implemented given that FTP is a cleartext protocol that transmits usernames and passwords unprotected.

As for the the firewall rules, "implicit" implies that it's an unspecified behavior, which is not the case. Yes, there's a default allow rule, but it's very much explicit.