Using Explicit FTP over TLS

Do you have a rule in place to allow the secure connection out with logging enabled?

I should probably add...

Ports 21 and 443 are open to outbound traffic.
When trying to connect to the FTP server I see successful attempts on port 21, but nothing else.

As mentioned, it looks like the connection to the FTP server authenticates successfully, but it always fails to do a directory listing when using the Explicit TLS connection option.

Do you have the ftp helper enabled?

Do you mean the FTP proxy?

If so, then no, it is not enabled as I thought that this is only if I have a FTP server behind the UTM.
Please correct me if I am wrong about that.

No, it is here to help with the extra port that ftp uses. I ti s not actually a proxy, but a session helper to ensure that the ftp control port is associated with an active ftp session.

I have looked, but have not been able to find a FTP Helper option.
Where is that option located?

firewall -> advanced.

there are a number of similar features on that page.

Yes, the FTP connection tracking helper was enabled. I am guessing that this is the default state, as I cannot remember ever setting that option.

So... that is not the issue. Any other suggestions?

What is your outbound rule? You should see all connections in the firewall log.

I suspect that the issue is really that you have the web proxy enabled in transparent mode so all traffic will be picked up by the web proxy.

Try adding an exclusion for the site your are going to in the web proxy exclusion list.

I added the IP address of the host FTP sever to Skip Transparent Mode Destination Hosts/Nets, but again, this made no difference.

I cannot believe that something as basic as using a secure FTP connection is so painful to configure on the UTM. What a PITA!

I added the IP address of the host FTP sever to Skip Transparent Mode Destination Hosts/Nets, but again, this made no difference.

I cannot believe that something as basic as using a secure FTP connection is so painful to configure on the UTM. What a PITA!

Can you see the traffic in either of the firewall logs or the web filter log?

When I look at the firewall log all I see is the accepted packet on port 21
There are no entries at all in the web filter log for the FTP server IP address.

2016:12:30-09:07:19 firewall ulogd[4557]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="9" initf="eth0" outitf="ppp0" srcmac="a0:a8:cd:xx:xx:xx" dstmac="78:e3:b5:xx:xx:xx" srcip="172.16.xxx.xxx" dstip="98.142.xxx.xxx" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59406" dstport="21" tcpflags="SYN"

Connecting to the FTP sever works just fine when I use the non secure connection option, but when I use any of the TLS connection options I cannot get a directory listing.

As I said... I cannot believe that no one else has this issue, or a simple solution for how to make it work.

Hi BigO,

Time for a pcap. Do a packetcapture and show us the logs. I want to see who sends the RESET.

Thanks

Thanks for the suggestion, but I am in no way a Linux command line person, which is what I believe is necessary to do a packet capture.

I am guessing that I will just have to accept the fact that I will only be able to do insecure connections to the FTP servers, as I do not have the time or motivation to waste any more time trying to resolve this issue.

As I have said before... surely it cannot just be me that wants to use a TLS connection to FTP servers and cannot do this from behind the UTM.

Long shot, but have you read the the KB article? https://community.sophos.com/kb/en-us/121021