Server to server FTP on SRX220 device

Olivier_Braun · ‎07-07-2011

Hello,

I'm trying to enable server to server FTP transfers initated by a client located on a third computer (FXP transfer).

FTP server A and FTP server B are located in 2 different security zones of a SRX220 firewall.

To enable such transfer, the client sends an FTP PASV command to server A and transmits the parameters in a PORT command for server B. The problem is that the firewall drops the PORT command as it does not contain the client IP.

I found a workaround by configuring the FTP servers to listen on port 2121 instread of 21 (and enabling the corresponding policy), but this require opening a port range between the 2 zones for the FTP data connections (because the ALG is not working then).

Is there a way to configure the SRX220 ALG to enable such configuration ?

Thank you,

Olivier

sh_ · ‎01-11-2009

Could you try:

set security alg ftp disable

/Alex

Olivier_Braun · ‎07-07-2011

the PORT command is still dropped

Olivier

Ozark777 · ‎01-06-2010

Try turning off SYN checking for the FTP policy from server to server (after permit should should see this in tcp-options in 10.4)

-------------------------------------------------------------------------------
Ben Boyd
Sr. Network Engineer
TorreyPoint and Proteus (www.torreypoint.com & www.proteus.net)
JNCIE-M, JNCIE-ENT, JNCIP-SEC, JNCIA-EX

Server to server FTP on SRX220 device

Re: Server to server FTP on SRX220 device

Re: Server to server FTP on SRX220 device

Re: Server to server FTP on SRX220 device