The issue occurs because the dynamic port functionality, which enables connection for passive FTP server, is not present in the firewall of Deep Security 9.0.
To resolve this, limit the port numbers on the passive FTP server. If it is not possible, assign the Port Mapper Decoder FTP server DPI rule if you have a licensed Intrusion Prevention module.
- Create a port list containing the declared ports on the FTP server:
- From the Deep Security Manager (DSM), click Policies > Common Objects > Lists.
- Select Port Lists > New, then select New Port List…
- On the New Port List Properties window, provide the name and ports. For example:
Name: FTP Passive Mode Port Range
Port(s): 6000-6010 - Click OK to save the port list.
- Create a firewall rule to allow incoming traffic from the port list created in Step 1.
- From the DSM, click Policies > Common Objects > Firewall Rules > New, and then select New Firewall Rule…
- On the Rule Property window, configure the following settings:
Name: FTP Passive Mode FW Rule (this is just an example)
Action: Force Allow
Priority: 2 - Normal
Packet direction: Incoming
Frame Type: IP
Protocol: TCP - In the Packet Destination section, click Port > Port List.
- Select the port list created in Step 1.
- Click OK to save the firewall rule.
- Assign the appropriate firewall rules to the policy that will be applied on the FTP server:
- From the DSM, click Policies > Policies.
- Click the policy to be applied on the FTP server, and then click Details.
- In the new window, click Firewall > Assign/Unassign…
- Assign the following rules to the policy:
- FTP server (Default Rule)
- Firewall rule created in Step 2
If the firewall is set to “Stateful Inspection Enable”, add the following rules:
- Allow solicited TCP/UDP replies
- ARP
You can directly assign the rules to the FTP server, but it is recommended to assign the rules to the policy ruling the FTP server. - Click OK to save the firewall rules.
- Assign the policy to the FTP server:
- From the DSM, click Computers.
- Double-click the passive FTP server.
- In the new window, go to Overview > Policy.
- Select the policy edited in Step 3.
- Click Save, then click Close to apply the policy.
When you cannot limit or control the passive FTP server ports, it is not recommended to create a rule to open ports bigger than 1023. Use the Intrusion Prevention rule instead:
- Assign the appropriate firewall rules to the policy that will be applied on the FTP server:
- From the DSM, click Policies > Policies.
- Click the policy to be applied on the FTP server, and then click Details.
- In the new window, click Firewall > Assign/Unassign…
- Assign the following rule to the policy:
FTP server (Default Rule)
If the firewall is set to “Stateful Inspection Enable”, add the following rules:
- Allow solicited TCP/UDP replies
- ARP
- Assign Intrusion Prevention rules to the policy that will be applied on the FTP server:
- From the DSM, click Policies > Policies.
- Click the policy to be applied on the FTP server, and then click Details.
- In the new window, click Intrusion Prevention > Assign/Unassign…
- Select the following rule:
1005594 – Port Mapper Decoder FTP server
Click OK when you see a message that 1003783 – Port Mapper Decoder FTP server, on which the 1005594 rule has a dependency, has also been selected. - Click OK on the IPS Rules Window.
- Click Save > Close to apply the Intrusion Prevention rules.
- Assign the policy to the FTP server:
- From the DSM, select Computers.
- Double-click the passive FTP server.
- In the new window, click Overview > Policy.
- Select the policy edited in the previous step.
- Click Save, then click Close to apply the policy.