SRX

I have an unusual problem that I hope I can get some help on. So just a tiny bit of history .. there were users having FTP issues at one location where I installed an SRX to so I turned FTP ALG off and now FTP is working .. with one exception.

For some reason now ACTIVE FTP now no longer works correctly (assuming that ALG was helping with that). I have some users that insist on using WINDOWS FTP (which uses ACTIVE FTP) instead of alternatives like Filezilla or WSFTP, etc... which would use PASSIVE. People can connect no issues but when they go to download they are getting a "500 Illegal PORT range rejected" error every time. Has anyone seen this or is there a known way to fix this with FTP ALG off?

I haven't been able to see much I can do other than NOT using windows FTP / ACTIVE. I am hoping someone ran into this, who has lots of "customers" using FTP.

----------------

EDIT- doing a bit more reading I realize there was a problem (memory leak) with FTP ALG.  I believe I may have made the cut though.. running 12.1X46-D30.2 (and the problem from what I am seeing was prior to 12.1X44)

Is there any merit into FTP ALG has to be on for FTP ACTIV to be able to work?

----------------

---

@jabbyjim wrote:

 

For some reason now ACTIVE FTP now no longer works correctly (assuming that ALG was helping with that). I have some users that insist on using WINDOWS FTP (which uses ACTIVE FTP) instead of alternatives like Filezilla or WSFTP, etc... which would use PASSIVE.

---

You're correct that is the purpose of the ALG, since FTP works through two channels the first is initiated from the client to the server ( destination port 21 ) and that is used for control . The second channel depends on the mode you are using; but for active mode a session ( second channel ) is  initiated from the Server to the client for data transfer, where the server will connect to the client from source port 20 . For optimal security it would be recommended that you enable the ALG and troubleshoot the cases that were having issues before as they might not be using standard ports.

Another alternative ( albeit less secure ) is to open traffic in the reverse direction from the zone with the FTP server to the zone with the client PCs using a custom application with source port 20 . Assuming the ftp server is on the untrust zone and clients are on the trust zone :

set applications application ftp-return-port protocol tcp
set applications application ftp-return-port source-port 20

set security policies from-zone untrust to-zone trust policy return-ftp match source-address any
set security policies from-zone untrust to-zone trust policy return-ftp match destination-address any
set security policies from-zone untrust to-zone trust policy return-ftp match application ftp-return-port
set security policies from-zone untrust to-zone trust policy return-ftp then permit

You should also change the source address to match that of your FTP server and the same for the destination address to match the client network.

great!! this makes incredible sence, thank you. We indeed are not using non-standard FTP ports.

I'm pushing my luck now but .. so if I turn FTP ALG back on what can I do to allow the alternative ports as well? Is it just a matter of the return port being set? or is there more to it?

I'm guessing it would be something like ..

set applications application ftp-return-port protocol tcp
set applications application ftp-return-port source-port 5000-5021

set security policies from-zone untrust to-zone trust policy return-ftp match source-address any
set security policies from-zone untrust to-zone trust policy return-ftp match destination-address any
set security policies from-zone untrust to-zone trust policy return-ftp match application ftp-return-port
set security policies from-zone untrust to-zone trust policy return-ftp then permit

If you were to re-enable ALG you would have to create another custom ALG for the FTP servers not using the standard ports ( like I said I wouldn't recommend opening a return port as ALG is more secure ). Here is a knowledge base just for that :

https://kb.juniper.net/InfoCenter/index?page=content&id=KB23611&actp=search

Also you should review the non-standard ports you are using as FTP only requires two ports, in your comment your sample configuratin is using all ports from 5000 to 5021

Its obvious I still need to learn more about FTP as well! I am afraid I was a bit confused but I believe I see the light now!

Assuming I am not allowed to turn FTP ALG back on at this time, I am pointing to the alternative until I can.

Keeping in mind this is not an FTP forum (thus pushing my luck once again), aside from opening the ftp return on port 20 (default), I would also have to open the server port minus one (n-1) for each custom non default connections as well for each server correct?

So if I had a server that to connect to it was 5001, I would need to open 5000 for the return, and so on? Is that correct?

Makes me really appreciate Passive mode for sure.

Update: I actually found a resource that explained the differences pretty well. The data will always be port 20 in Active Mode, which is what you were telling me all along ... but it wasn't sinking in.

Active FTP :
     command | client >1023 -> server 21
     data    | client >1023 <- server 20

 Passive FTP :
     command | client >1023 -> server 21
     data    | client >1024 -> server >1023

thanks again for all your help!