Why is this so difficult !

Question

I am simply trying to allow outbound (LAN to WAN) passive FTP between 2 endpoints and nothing I have done so far has got it working (even allowing any IP both ways). 
 
 On any other stateful firewall I have used if the traffic is allowed out then the return traffic is allowed back in but the Sophos XG210 firewalls are dropping the return packets as far as I can see because they are not matching up with an existing connection. 
 
 I admit I do not have a lot of experience with these firewalls but they really are not intuitive compared to pfSense, iptables, Cisco to name a few.

LuCar Toni · Answer

Do you mean, you get Dropped packets in the logviewer as "Invalid Traffic" (could not associate session)? 
 Likely this is not the issue. Instead one of your FTP Clients is dropping the channel anyways and XG is dropping the session, as duplicated packets are send. 
 
 Check the tcpdump to be sure, if there is actually communication between both on the passv port.

RickardNordahl · Answer

My Guess is that is the ftpbounce-prevention that are the issue here. Login to the CLI go to meny 4 and change the ftpbounce-prevention to Data instead of control. That have worked for me when having issues with FTP traffic. 
 
 The command to change it. 
 
 set advanced-firewall ftpbounce-prevention data 
 
 And also please remember to allow the passive ports in the Firewall rule. 
 
 //Rickard

Why is this so difficult !

Top Replies