8 Replies Latest reply on Mar 11, 2015 12:14 PM by mike18

    Denied FTP command:   Data is being dropped."

    mike18

      Hi Everyone,

       

      I see log message where FTP data is dropped by firewall.

       

      Log shows

       

      Mar  9 22:51:45
      FW5032 auditd: date="2015-03-09 22:51:45
      +0000",fac=f_ftp_proxy,area=a_proxy,type=t_attack,pri=p_major,pid=2345,logid=0,c md=pftp,hostname=FW5302,category=appdef_violation,event="denied
      ftp command",netsessid=3700854fe2401,srcip=192.168.50.1,srcport=59610,srczone=insid e,dst_local_port=21,protocol=6,src_local_port=0,dst_geo=CA,dstip=200.34.x.x,dstp ort=21,dstzone=outside,attackip=192.168.50.1,attackzone=internal,rule_name=xy,re ason="Denied
      FTP command: \\x16\\x03\\x01.  Data is being dropped."

       

       

      I see the rule is there to allow FTP ftom source to DEstination IP.

      Does anyone know why data is getting dropped?

       

      Regards

       

      Mike

        • 1. Re: Denied FTP command:   Data is being dropped."
          sliedl

          You're trying to do FTPS through the FTP proxy and that will never work.  You need to create a custom application on whatever ports you need, both for the control port and the data ports.

           

          You can tell this is FTPS because the FTP command is gibberish (it's encrypted).

          • 2. Re: Denied FTP command:   Data is being dropped."
            mike18

            So i need to create custom application with ports 20 and 21?

            Also when i create custom application will firewall still do application layer inspection?

             

            Regards

             

            Mike

            • 3. Re: Denied FTP command:   Data is being dropped."
              sliedl

              You need a custom application to pass the Control Port and the Data Port(s) (usually this is a range of ports).  This can be in the same application, of course.  Usually the Data Port(s) is any port greater-than 1024.  The FTPS server is the one that controls which ports the client can connect on for the data-channel (so if you do not control the FTPS server you must ask them what their data-port-range is or open all ports >1024).

               

              You cannot do inspection on FTPS on the firewall.  You cannot do SSL-decryption and inspection on it either (the only protocol the firewall can scan/inspect that is SSL-encrypted is HTTP).

              • 4. Re: Denied FTP command:   Data is being dropped."
                mike18

                So does it mean when we use any application like https or FTPS we should use create our own custom application instead of applications that are built in the firewall?

                Under what conditions we need to create custom applications?

                 

                i will ask the user to know which data port that application uses.

                 

                Currently i have created custom application with port 21.User is able to connect but can not see any directories.So i open port 20 now user can see the list of directories but can not open them.

                Log shows

                 

                 

                FW5032  auditd: date="2015-03-10 22:00:56 +0000",fac=f_ftp_proxy,area=a_libproxycommon,type=t_nettraffic,pri=p_major,pid= 2345,logid=0,cmd=pftp,hostname=FW5032,event="session end",application="FTP Test",netsessid=d25a54ff6977,srcip=192.168.50.1,srcport=54093,srczone=inside,pr otocol=6,dst_geo=CA,dstip=200.34.x.x,dstport=21,dstzone=outside,bytes_written_to _client=2484,bytes_written_to_server=939,rule_name=xy,cache_hit=0,start_time="20 15-03-10 22:00:23 +0000"

                 


                FW5032  auditd: date="2015-03-10 22:00:39 +0000",fac=f_kernel,area=a_nil_area,type=t_netprobe,pri=p_minor,hostname=FW5032 ,event="TCP netprobe",srcip=192.168.50.1,srcport=54094,srczone=inside,dst_geo=CA,dstip=200. 34.x.x,dstport=50009,protocol=6,interface=1-1,reason="Received a TCP connection attempt destined for a service that the current policy does not support."


                I do see many messages like above with destination port range from 50002 to 50009.

                 

                As per above log do u think firewall is still dropping the data?

                 

                Regards

                 

                Mike

                • 5. Re: Denied FTP command:   Data is being dropped."
                  sliedl

                  FTP is special (but not unique).  It uses one port (the control port) to set up a connection on a separate, random port (the data port).  The device you are going through (our firewall) needs to be 'smart' enough to see the data on the control port, recognize the data port the two devices (client and server) negotiate, and then open that random data port.  In FTPS this is encrypted (the choosing of the data port) and thus the firewall cannot open the random data port.  By setting a specific range of data ports on the FTPS server you can then open just those ports going to that server (and not have to open all ports >1023).  HTTPS is not at all the same so it cannot be compared to FTPS.

                  • 6. Re: Denied FTP command:   Data is being dropped."
                    mike18


                    I am waiting for vendor to give me there Data port range.

                    In meantime i tried to open port >1024 on Firewall it gives error it should be range.

                    IS there any way i can open all the ports greater than 1024?

                     

                    or i can use the range like 1024-65000?

                     

                    Thanks for great explanation

                    Regards

                    Mike

                    • 7. Re: Denied FTP command:   Data is being dropped."
                      sliedl

                      Yes, use a range in the TCP ports box of 1024-65535.  Type it just like that, 1024-65535.

                      • 8. Re: Denied FTP command:   Data is being dropped."
                        mike18


                        Many thanks after opening port range its working now.

                         

                        Best regards

                        Mike