Support Center > Search Results > SecureKnowledge Details
FTP over SSL traffic does not pass through Security Gateway
Symptoms
  • FTP over SSL traffic does not pass through Security Gateway.
Solution

FTP over SSL is not supported. 

Since FTP over SSL is encrypted, there is no way to inspect the port command to decide what port to open and therefore the traffic is blocked. 

There are certain configurations option that can allow FTP over SSL through the Security Gateway.
Security Gateway insists on a 'newline' character in certain places (after the PORT command). Gateway expects each FTP header coming from the server to end with \r\n. Refer to sk39516

Some variants of FTP over SSL operate over different ports (port 990 for Control, 989 for Data). In this case, you simply need to create the following TCP services:

  • ftp-ssl-control: port 990

  • ftp-ssl-data: port >1023, source port 989


The rulebase to permit access would look like:

Source Destination Service Action
ftp-client ftp-server ftp-ssl-control accept
ftp-server ftp-client ftp-ssl-data accept

If you still cannot get this traffic through the gateway, there are several ways to disable FTP enforcement. Usually this is done through SmartDefense/IPS, by disabling the FTP Bounce attack protection.
Note: This is NOT recommended.

 

Notes:

Imported from Nokia support database

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment