SRX Services Gateway
SRX Services Gateway

Server to server FTP on SRX220 device

[ Edited ]
09.01.11   |  
‎09-01-2011 01:53 AM

Hello,

 

I'm trying to enable server to server FTP transfers initated by a client located on a third computer (FXP transfer).

FTP server A and FTP server B are located in 2 different security zones of a SRX220 firewall.

 

To enable such transfer, the client sends an FTP PASV command to server A and transmits the parameters in a PORT command for server B. The problem is that the firewall drops the PORT command as it does not contain the client IP.

 

I found a workaround by configuring the FTP servers to listen on port 2121 instread of 21 (and enabling the corresponding policy), but this require opening a port range between the 2 zones for the FTP data connections (because the ALG is not working then).

 

Is there a way to configure the SRX220 ALG to enable such configuration ?

 

Thank you,

 

Olivier

3 REPLIES
SRX Services Gateway

Re: Server to server FTP on SRX220 device

09.01.11   |  
‎09-01-2011 01:56 AM

Could you try:

 

set security alg ftp disable

 

 

/Alex

Highlighted
SRX Services Gateway

Re: Server to server FTP on SRX220 device

09.01.11   |  
‎09-01-2011 09:56 AM

the PORT command is still dropped

 

Olivier

SRX Services Gateway

Re: Server to server FTP on SRX220 device

09.02.11   |  
‎09-02-2011 11:13 AM
Try turning off SYN checking for the FTP policy from server to server (after permit should should see this in tcp-options in 10.4)
-------------------------------------------------------------------------------
Ben Boyd
Sr. Solutions Architect
Integration Partners (http://www.integrationpartners.com)
JNCIE-M, JNCIE-ENT, JNCIP-SEC, JNCIA-EX
Twitter - @ozark46