I replaced old cisco pix 520 with a meraki 400. Some firewall rules that worked correctly before now have problems.
For example, a firewall rule that allows some internal ip access in ftp to some external servers does not work properly. to have no problems I had to give access to all the ports (any). I thought that the problems related to ftp are only in inbound rules. What other ports should be opened to correctly use outbound ftp?
You should not have to explicitly allow anything outbound.
Have you seen this?
Maybe I didn't explain myself. I need to create an outbond rule that allows some internal ip to connect to some ftp servers but not use any other outgoing protocol.
the problem that opening only the ftp port 21 does not work.
Are you connecting to active or passive FTP servers? If you're not sure, you need both 20 and 21.
Just to check, you're using regular FTP and not SFTP? Because if SFTP, you'll need 22 as well.
If you are connecting to a passive mode FTP server:
If you are connecting to an active mode server:
The MX NAT will correctly fix up NAT for active mode connections to allow the return traffic. Passive mode does not require any fixups.
The MX wont correct any outbound firewall rules you have created to explicitly block traffic.
If you create a default "deny all" rule limiting outbound traffic then you'll probably want to create a simple "permit ip any host x.x.x.x" style rule to the specific FTP server the users need to connect to.
Hi, thank for answer.
First consideration puzzles me that a 15-year-old device has features (ftp fixup, object group) that do not exist on a current product.
For the problem in question if instead of deny any any I put a deny of the different subnets to any fixup is applied?