Description
This article describes how to allow explicit FTPS connection over VIP.
Diagram.
Solution
- Explicit FTPS is a method that allows clients to request the server to create a data connection using SSL/TLS.
Since the connection is encrypted, FTPS is not supported by the FTP session helper and hence does not open the necessary pinhole.
Likewise, flow mode of inspection does not support FTPS as IPS engine cannot read the encrypted payload.
- Explicit FTPS is hence only supported with a combination of proxy based inspection and deep inspection.
WAD process can read the encrypted payload and create the 'expectation session' for the incoming data connection.
Configuration and verification.
VIP.
This article describes how to allow explicit FTPS connection over VIP.
Diagram.
Solution
- Explicit FTPS is a method that allows clients to request the server to create a data connection using SSL/TLS.
Since the connection is encrypted, FTPS is not supported by the FTP session helper and hence does not open the necessary pinhole.
Likewise, flow mode of inspection does not support FTPS as IPS engine cannot read the encrypted payload.
- Explicit FTPS is hence only supported with a combination of proxy based inspection and deep inspection.
WAD process can read the encrypted payload and create the 'expectation session' for the incoming data connection.
Configuration and verification.
VIP.
# config firewall vipPolicy.
edit "FTP"
set uuid e568911a-cfa3-51eb-1d37-84ff97dd0765
set extip 10.230.4.72
set mappedip "10.220.3.202"
set extintf "any"
set portforward enable
set extport 21
set mappedport 21
next
end
# config firewall policySSL inspection profile.
edit 3
set name "FTP"
set uuid fdb707ba-cfa3-51eb-1be1-c632b14d101c
set srcintf "port3"
set dstintf "port2"
set srcaddr "all"
set dstaddr "FTP"
set action accept
set schedule "always"
set service "FTP" "FTP_GET" "FTP_PUT"
set utm-status enable
set inspection-mode proxy <-----
set ssl-ssh-profile "FTP-scan"
set av-profile "default"
set webfilter-profile "default"
set ips-sensor "default"
set logtraffic all
next
end
# config firewall ssl-ssh-profileWad debugs indicating creation of pinhole session.
edit "FTP-scan"
# config https
set ports 443
set status deep-inspection
set expired-server-cert allow
set revoked-server-cert allow
set cert-validation-failure allow
set sni-server-cert-check disable
end
...
config ftps
set ports 990
set status deep-inspection <-----
set expired-server-cert allow
set revoked-server-cert allow
set cert-validation-failure allow
end
.
.
set block-blocklisted-certificates disable
set ssl-anomalies-log disable
next
removed command PASV from cmd queue.Flow debugs.
2021-07-26 21:42:05.094380 [p:508][s:40738626] wad_ftp_exec_state(3954): received event REPLY in state NORMAL
2021-07-26 21:42:05.094442 [p:508][s:40738626] wad_ftp_pasv_reply_handler(1180): offer_ip=10.220.3.202 offer_port=50756
2021-07-26 21:42:05.094643 [p:508][s:40738626] wad_ftp_tp_ses_exp_free(168): fts=0x7f52db54a9c8, exp=(nil)
2021-07-26 21:42:05.094663 [p:508][s:40738626] wad_exp_tcp_in_find(190): proto=6 vd=0 ->10.220.3.202:50756 exp_tcp_in=(nil)
2021-07-26 21:42:05.094862 [p:508][s:40738626] wad_exp_tcp_in_open(228): bound to proto=6 dest=10.220.3.202:50756 vd=0 fd=83 local=0 tin(0x7f52dca666d0)
Control session tuple: 10.230.4.86:60919 -> 10.230.4.72:21 vf 0 vrf 0
Expect session tuple: 10.230.4.86:0 -> 10.230.4.72:50756(10.220.3.202:50756) vf 0 vrf 0
dir 0 act 2 hook 0 state 0 ops 0 skip 0
redirect: TCP 10.230.4.86:0 -> 10.230.4.72:50756 DNAT 10.220.3.202:50756
2021-07-26 21:42:05.095216 [p:508][s:40738626] wad_ftp_exec_state(3980): transitioned from state NORMAL to state NORMAL
2021-07-26 21:42:05.095224 [p:508][s:40738626] __wad_ftp_session_proc_reply(706): forwarded reply to client: ftp cmd=PASV, reply code=227
2021-07-26 21:42:05.095232 [p:508][s:40738626] wad_ips_port_out_read_br(262): ips_conn=0x7f52dcaf9a90, len=48
2021-07-26 21:41:53 id=20085 trace_id=138132 func=print_pkt_detail line=5723 msg="vd-root:0 received a packet(proto=6, 10.230.4.86:60919->10.230.4.72:21) from port3. flag [S], seq 1747348908, ack 0, win 64240"Sniffer.
2021-07-26 21:41:53 id=20085 trace_id=138132 func=init_ip_session_common line=5894 msg="allocate a new session-026d9f42"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=fw_pre_route_handler line=184 msg="VIP-10.220.3.202:21, outdev-port3"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=__ip_session_run_tuple line=3503 msg="DNAT 10.230.4.72:21->10.220.3.202:21"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=vf_ip_route_input_common line=2621 msg="find a route: flag=04000000 gw-10.220.3.202 via port2"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=fw_forward_handler line=819 msg="Allowed by Policy-3: AV"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=ids_receive line=298 msg="send to ips"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=av_receive line=314 msg="send to application layer"
.
.
2021-07-26 21:42:05 id=20085 trace_id=138192 func=print_pkt_detail line=5723 msg="vd-root:0 received a packet(proto=6, 10.230.4.86:60921->10.230.4.72:50756) from port3. flag [S], seq 3571380554, ack 0, win 64240"
2021-07-26 21:42:05 id=20085 trace_id=138192 func=resolve_ip_tuple_fast line=5819 msg="Find an EXP session, id-026d9f42."
2021-07-26 21:42:05 id=20085 trace_id=138192 func=__ip_session_run_tuple line=3503 msg="DNAT 10.230.4.72:50756->10.220.3.202:50756"
2021-07-26 19:41:53.694768 port3 in 10.230.4.86.60919 -> 10.230.4.72.21: syn 1747348908 <----- Control. connection
2021-07-26 19:41:53.700869 port3 out 10.230.4.72.21 -> 10.230.4.86.60919: syn 1095480473 ack 1747348909 95480473 ack 1747348909
2021-07-26 19:41:53.702645 port3 in 10.230.4.86.60919 -> 10.230.4.72.21: ack 1095480474 5480474
2021-07-26 19:41:53.782756 port2 out 10.230.4.86.60919 -> 10.220.3.202.21: syn 1560759456
2021-07-26 19:41:53.788120 port2 in 10.220.3.202.21 -> 10.230.4.86.60919: syn 2105481383 ack 1560759457 05481383 ack 1560759457
2021-07-26 19:41:53.788290 port2 out 10.230.4.86.60919 -> 10.220.3.202.21: ack 2105481384
.
.
2021-07-26 19:42:05.235631 port3 in 10.230.4.86.60921 -> 10.230.4.72.50756: syn 3571380554 <----- Data connection.
2021-07-26 19:42:05.290253 port3 out 10.230.4.72.50756 -> 10.230.4.86.60921: syn 4276598741 ack 3571380555
2021-07-26 19:42:05.291111 port3 in 10.230.4.86.60921 -> 10.230.4.72.50756: ack 4276598742
2021-07-26 19:42:05.302010 port2 out 10.230.4.86.60921 -> 10.220.3.202.50756: syn 3496112363 n 3496112363
2021-07-26 19:42:05.307813 port2 in 10.220.3.202.50756 -> 10.230.4.86.60921: syn 3328349616 ack 3496112364 3328349616 ack 3496112364
2021-07-26 19:42:05.307866 port2 out 10.230.4.86.60921 -> 10.220.3.202.50756: ack 3328349617
