FTP over SSL traffic does not pass through Security Gateway
FTP over SSL is not supported.
Since FTP over SSL is encrypted, there is no way to inspect the port command to decide what port to open and therefore the traffic is blocked.
There are certain configurations option that can allow FTP over SSL through the Security Gateway.
Security Gateway insists on a 'newline' character in certain places (after the PORT command). Gateway expects each FTP header coming from the server to end with \r\n. Refer to sk39516.
Some variants of FTP over SSL operate over different ports (port 990 for Control, 989 for Data). In this case, you simply need to create the following TCP services:
- ftp-ssl-control: port 990
- ftp-ssl-data: port >1023, source port 989
The rulebase to permit access would look like:
If you still cannot get this traffic through the gateway, there are several ways to disable FTP enforcement. Usually this is done through SmartDefense/IPS, by disabling the FTP Bounce attack protection.
Note: This is NOT recommended.
Imported from Nokia support database