Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to let FTPS pass through an SRX device

0

0

Article ID: KB19444 KB Last Updated: 15 May 2018Version: 14.0
Summary:
To enable FTPS explicit mode (also referred to as FTPES) to pass through an SRX, the 'set security alg ftp ftps-extension' command can be configured from Junos 10.2 or later.

The FTPS implicit mode is currently not supported.
 
Symptoms:
  • FTPS in explicit mode fails to connect through a SRX device.

  • In explicit mode FTPS, the client connects to the server on the TCP/21 port. The client does SSL negotiation for either the control channel or the data channel using new FTP commands like AUTH etc.

  • The AUTH command in the control channel will not be recognized by the FTP ALG and will be dropped.
Solution:
FTPS support for SRX can be enabled by using the following configuration command:
set security alg ftp ftps-extension

This will have the following effects:
 
  • The AUTH command will be recognized by the FTP ALG and is available in Junos 10.2 or later.

  • This feature is supported with the route mode and source nat. It works with FTPeS in passive mode, as the control channel can not be decrypted by FTP ALG; so no gate can be opened.

  • So, FTPeS in active mode is not supported as well.


Limitations (applicable to all Junos versions):
  • Destination nat and static nat are not supported with FTPeS. This is a protocol limitation and just opening ports wide open will not help.

  • Implicit FTPS is not supported.  This encrypts the entire FTP session, and the FTP ALG is not designed to handle this.

  • FTPeS is only supported with passive mode. FTPeS with active mode is not supported
Modification History:
2018-05-15: Minor corrections made
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search