Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Firewall does not allow connection when the File Transfer Protocol (FTP) server is in passive mode in Deep Security

    • Updated:
    • 11 Sep 2015
    • Product/Version:
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Platform:
    • N/A N/A
Summary

When you have an internal FTP server in passive mode, the firewall does not allow connection.

Details
Public

The issue occurs because the dynamic port functionality, which enables connection for passive FTP server, is not present in the firewall of Deep Security 9.0.

To resolve this, limit the port numbers on the passive FTP server. If it is not possible, assign the Port Mapper Decoder FTP server DPI rule if you have a licensed Intrusion Prevention module.

  1. Create a port list containing the declared ports on the FTP server:
    1. From the Deep Security Manager (DSM), click Policies > Common Objects > Lists.
    2. Select Port Lists > New, then select New Port List…
    3. On the New Port List Properties window, provide the name and ports. For example:
      Name: FTP Passive Mode Port Range
      Port(s): 6000-6010
    4. Click OK to save the port list.
  2. Create a firewall rule to allow incoming traffic from the port list created in Step 1.
    1. From the DSM, click Policies > Common Objects > Firewall Rules > New, and then select New Firewall Rule…
    2. On the Rule Property window, configure the following settings:

      Name: FTP Passive Mode FW Rule (this is just an example)
      Action: Force Allow
      Priority: 2 - Normal
      Packet direction: Incoming
      Frame Type: IP
      Protocol: TCP

    3. In the Packet Destination section, click Port > Port List.
    4. Select the port list created in Step 1.
    5. Click OK to save the firewall rule.
  3. Assign the appropriate firewall rules to the policy that will be applied on the FTP server:
    1. From the DSM, click Policies > Policies.
    2. Click the policy to be applied on the FTP server, and then click Details.
    3. In the new window, click Firewall > Assign/Unassign…
    4. Assign the following rules to the policy:
      • FTP server (Default Rule)
      • Firewall rule created in Step 2

      If the firewall is set to “Stateful Inspection Enable”, add the following rules:

      • Allow solicited TCP/UDP replies
      • ARP
       
      You can directly assign the rules to the FTP server, but it is recommended to assign the rules to the policy ruling the FTP server.
       
    5. Click OK to save the firewall rules.
  4. Assign the policy to the FTP server:
    1. From the DSM, click Computers.
    2. Double-click the passive FTP server.
    3. In the new window, go to Overview > Policy.
    4. Select the policy edited in Step 3.
    5. Click Save, then click Close to apply the policy.

When you cannot limit or control the passive FTP server ports, it is not recommended to create a rule to open ports bigger than 1023. Use the Intrusion Prevention rule instead:

  1. Assign the appropriate firewall rules to the policy that will be applied on the FTP server:
    1. From the DSM, click Policies > Policies.
    2. Click the policy to be applied on the FTP server, and then click Details.
    3. In the new window, click Firewall > Assign/Unassign…
    4. Assign the following rule to the policy:

      FTP server (Default Rule)

      If the firewall is set to “Stateful Inspection Enable”, add the following rules:

      • Allow solicited TCP/UDP replies
      • ARP
  2. Assign Intrusion Prevention rules to the policy that will be applied on the FTP server:
    1. From the DSM, click Policies > Policies.
    2. Click the policy to be applied on the FTP server, and then click Details.
    3. In the new window, click Intrusion Prevention > Assign/Unassign
    4. Select the following rule:

      1005594 – Port Mapper Decoder FTP server

       
      Click OK when you see a message that 1003783 – Port Mapper Decoder FTP server, on which the 1005594 rule has a dependency, has also been selected.
       
    5. Click OK on the IPS Rules Window.
    6. Click Save > Close to apply the Intrusion Prevention rules.
  3. Assign the policy to the FTP server:
    1. From the DSM, select Computers.
    2. Double-click the passive FTP server.
    3. In the new window, click Overview > Policy.
    4. Select the policy edited in the previous step.
    5. Click Save, then click Close to apply the policy.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
1098158
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.