Knowledge Search


How to let FTPS pass though a SRX device

  [KB19444] Show KB Properties

  [KB19444] Hide KB Properties

Knowledge Base ID: KB19444
Last Updated: 11 Feb 2015
Version: 10.0

To enable FTPS explicit mode (also referred to as FTPES) to pass through an SRX, the 'set security alg ftp ftps-extension' command can be configured from Junos 10.2 or later.

The FTPS implicit mode is currently not supported.

Problem or Goal:
  • FTPS in explicit mode fails to connect through a SRX device.

  • In explicit mode FTPS, the client connects to the server on the TCP/21 port. The client does SSL negotiation for either the control channel or the data channel using new FTP commands like AUTH etc.

  • The AUTH command in the control channel will not be recognized by the FTP ALG and will be dropped.


FTPS support for SRX can be enabled by using the following configuration command:
set security alg ftp ftps-extension

This will have the following effects:

  • The AUTH command will be recognized by the FTP ALG and is available in Junos 10.2 or later.

  • This feature is supported with the route mode and source nat. It works with FTPeS in passive mode, as the control channel can not be decrypted by FTP ALG; so no gate can be opened.

  • So, FTPeS in active mode is not supported as well.

Limitations (applicable to all Junos versions):
  • Destination nat and static nat are not supported with FTPeS. This is a protocol limitation and just opening ports wide open will not help.

  • Implicit FTPS is not supported.  This encrypts the entire FTP session, and the FTP ALG is not designed to handle this.

  • FTPeS is only supported with passive mode. FTPeS with active mode is not supported


Related Links:

Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.