SRX Services Gateway
Reply
Visitor
Olivier_Braun
Posts: 2
Registered: ‎07-07-2011
0

Server to server FTP on SRX220 device

[ Edited ]

Hello,

 

I'm trying to enable server to server FTP transfers initated by a client located on a third computer (FXP transfer).

FTP server A and FTP server B are located in 2 different security zones of a SRX220 firewall.

 

To enable such transfer, the client sends an FTP PASV command to server A and transmits the parameters in a PORT command for server B. The problem is that the firewall drops the PORT command as it does not contain the client IP.

 

I found a workaround by configuring the FTP servers to listen on port 2121 instread of 21 (and enabling the corresponding policy), but this require opening a port range between the 2 zones for the FTP data connections (because the ALG is not working then).

 

Is there a way to configure the SRX220 ALG to enable such configuration ?

 

Thank you,

 

Olivier

sh_
Contributor
sh_
Posts: 28
Registered: ‎01-11-2009
0

Re: Server to server FTP on SRX220 device

Could you try:

 

set security alg ftp disable

 

 

/Alex

Visitor
Olivier_Braun
Posts: 2
Registered: ‎07-07-2011
0

Re: Server to server FTP on SRX220 device

the PORT command is still dropped

 

Olivier

Trusted Contributor
Ozark777
Posts: 115
Registered: ‎01-06-2010
0

Re: Server to server FTP on SRX220 device

Try turning off SYN checking for the FTP policy from server to server (after permit should should see this in tcp-options in 10.4)
-------------------------------------------------------------------------------
Ben Boyd
Sr. Solutions Architect
Integration Partners (http://www.integrationpartners.com)
JNCIE-M, JNCIE-ENT, JNCIP-SEC, JNCIA-EX
Twitter - @ozark46
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.