Hi folks, got a scenario where I have to prevent public users (teleworkers) from accessing our FTP server without TLS. The FTP server is managed by our SA and not our team, we only manage and control traffic on the Palo Alto firewall. Users must use PASV mode.
Basically what I've done was port-forwarding of the FTP server, and configured an inbound SSL decryption on the Palo Alto. When it comes to security rules though, seems like after decryption and NAT, both (FTP and FTPS) traffic types are seen as FTP application. Before I configured decryption, the data channel of FTPS showed as SSL application, hence the firewall couldn't inspect to create a pinhole for PASV FTP.
SFTP has been recommended by our team for this use case, but would have to wait for the confirmation from the SA. In the meantime, though, public users must NOT access via plain FTP. Has anyone ever done this before?
No comments:
Post a Comment