Opening custom port for a Passive mode FTP Server

File Transfer Protocol (FTP) operates on TCP ports 20 and 21 where port 21 is the Control Port and 20 is Data Port. However, when using non-standard ports (eg. 2020, 2121), SonicWall drops the packet as it is not able to identify it as FTP traffic. A new option has been introduced to set custom control port for FTP traffic called "Enable FTP Transformations for TCP port(s) in Service Object". Enabling this option would help SonicWall identify traffic to and from the custom port as FTP traffic.

This article describes the method to set a custom control port for FTP.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

In this scenario we have an FTP server behind the SonicWall listening on port 2121 configured in Passive Mode. The configuration would be the same if the server is configured in Active Mode also.

1. Click OBJECT in the top navigation menu
2. Navigate to the Match Objects| Addresses page.
3. Click on Add
4. Create an Address Object for the private IP address of the FTP server.
5. Click on Save
   
6. Click OBJECT in the top navigation menu
7. Navigate to the Match Objects| Services page.
8. Click on Add
9. Create an Service Object for the private IP address of the FTP server.
10. Click on Save
    
11. Create the following Access Rule and NAT Policy.
12. Click Policy in the top navigation menu
13. Click on Add
14. Create the access rule as below
15. Click on ADD
    
16. Click Manage in the top navigation menu
17. Navigate to Rules and Policies | NAT Rules
18. Click on Add
19. Create the NAT Policy as below
20. Click on ADD
    
21. Select the address object for the custom service under Enable FTP Transformations for TCP port(s) in Service Object on the Network | Firewalll Settings | Advanced page.
    

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

In this scenario we have an FTP server behind the SonicWall listening on port 2121 configured in Passive Mode. The configuration would be the same if the server is configured in Active Mode also.

Click Manage in the top navigation menu Navigate to the Objects| Address Objects page. Click on Add Create an Address Object for the private IP address of the FTP server. Click on ADD

Create the following Access Rule and NAT Policy.

1. Click Manage in the top navigation menu
2. Navigate to Rules | Access Rules
3. Click on Add
4. Create the access rule as below
5. Click on ADD

1. Click Manage in the top navigation menu
2. Navigate to Rules | NAT Policies
3. Click on Add
4. Create the NAT Policy as below
5. Click on ADD

• Select the address object for the custom service under Enable FTP Transformations for TCP port(s) in Service Object on the Firewalll Settings | Advanced page.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

In this scenario we have an FTP server behind the SonicWall listening on port 2121 configured in Passive Mode. The configuration would be the same if the server is configured in Active Mode also.

Navigate to the Network | Address Objects page. Create an Address Object for the private IP address of the FTP server.

• Create the following Access Rule and NAT Policy
• Access Rule under Firewall | Access Rule
• NAT Policy under Network | NAT Policies

• Select the address object for the custom service under Enable FTP Transformations for TCP port(s) in Service Object on the Firewalll Settings | Advanced page.