Opening custom port for a Passive mode FTP Server
09/30/2022 322 People found this article helpful 480,908 Views
Description
File Transfer Protocol (FTP) operates on TCP ports 20 and 21 where port 21 is the Control Port and 20 is Data Port. However, when using non-standard ports (eg. 2020, 2121), SonicWall drops the packet as it is not able to identify it as FTP traffic. A new option has been introduced to set custom control port for FTP traffic called "Enable FTP Transformations for TCP port(s) in Service Object". Enabling this option would help SonicWall identify traffic to and from the custom port as FTP traffic.
This article describes the method to set a custom control port for FTP.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
In this scenario we have an FTP server behind the SonicWall listening on port 2121 configured in Passive Mode. The configuration would be the same if the server is configured in Active Mode also.
- Click OBJECT in the top navigation menu
- Navigate to the Match Objects| Addresses page.
- Click on Add
- Create an Address Object for the private IP address of the FTP server.
- Click on Save
- Click OBJECT in the top navigation menu
- Navigate to the Match Objects| Services page.
- Click on Add
- Create an Service Object for the private IP address of the FTP server.
- Click on Save
- Create the following Access Rule and NAT Policy.
- Click Policy in the top navigation menu
- Click on Add
- Create the access rule as below
- Click on ADD
- Click Manage in the top navigation menu
- Navigate to Rules and Policies | NAT Rules
- Click on Add
- Create the NAT Policy as below
- Click on ADD
- Select the address object for the custom service under Enable FTP Transformations for TCP port(s) in Service Object on the Network | Firewalll Settings | Advanced page.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
In this scenario we have an FTP server behind the SonicWall listening on port 2121 configured in Passive Mode. The configuration would be the same if the server is configured in Active Mode also.
- Click Manage in the top navigation menu
- Navigate to the Objects| Address Objects page.
- Click on Add
- Create an Address Object for the private IP address of the FTP server.
- Click on ADD
| |
- Click Manage in the top navigation menu
- Navigate to the Objects | Services page
- Click on Add
- Create the custom Service for the FTP Server.
- Click on ADD
| |
Create the following Access Rule and NAT Policy.
- Click Manage in the top navigation menu
- Navigate to Rules | Access Rules
- Click on Add
- Create the access rule as below
- Click on ADD
- Click Manage in the top navigation menu
- Navigate to Rules | NAT Policies
- Click on Add
- Create the NAT Policy as below
- Click on ADD
- Select the address object for the custom service under Enable FTP Transformations for TCP port(s) in Service Object on the Firewalll Settings | Advanced page.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
In this scenario we have an FTP server behind the SonicWall listening on port 2121 configured in Passive Mode. The configuration would be the same if the server is configured in Active Mode also.
- Navigate to the Network | Address Objects page.
- Create an Address Object for the private IP address of the FTP server.
| |
- Navigate to the Network | Services page
- Create the custom Service for the FTP Server.
| |
- Create the following Access Rule and NAT Policy
- Access Rule under Firewall | Access Rule
- NAT Policy under Network | NAT Policies
- Select the address object for the custom service under Enable FTP Transformations for TCP port(s) in Service Object on the Firewalll Settings | Advanced page.
Related Articles
Categories
Was This Article Helpful?
YESNO