Endpoint Protection

By default, all applications' traffic are allowed. For security reason, I do not use the default firewall policy of SEP12.1.

I create some rules to allow traffic pass through specific ports.

Everything seems OK. But FTP is an exception.

FTP has two modes to transfer data.

One is active mode, and for this mode, it is easy to create the rule.

The other is passive mode, it use a dynamic port to transfer data, so I can not specify a fixed port to allow traffic.

So, my question is:

How to allow FTP Passive Mode traffic on clients when disable the rule "allow all applications"?

can someone help me?

Thanks in advanced.

 

can someone help me?

EDIT...Posted in the wrong post, apologies.

I'm not sure, but I think the best you can do is to limit the range of ports the FTP server is using for data transfer. Here is a short explanation for IIS:

http://technet.microsoft.com/en-us/library/dd421710%28v=ws.10%29.aspx

Then create an allow rule with the port range (e.g., 50000-50099) for outbound traffic (if the rule is for FTP clients).

HTH!

So no further answer?

 

For WinXP, the dynamic port range is 1024-5000.

For Vista, Win7, Win2008, the dynamic port range is 49152-65535.

Ftp passive mode uses one of them in the same range as other program does, so creating a rule to allow a port range for outbound traffic can not limit other program's oubound traffic.

but thanks your answer anyway!

Hi;

I think those two link may be solve your problem.

http://www.symantec.com/docs/TECH80150

http://www.symantec.com/docs/TECH165200

 

 

And also look for this discussion.

https://www-secure.symantec.com/connect/forums/sep-firewall-blocking-outbound-ftp-connections#comment-3233171

The first link is about how FTP works, and I do understand.

The second link is about how to allow FTP traffic on server side, not clients side.

So problem still exists.

 

We had similar issues with TFTP and Passive FTP. We were able to create a firewall rule and only allow approved FTP applications by using MD5 hash in the firewall rules. Then you can open up the port ranges and kno that only the FTP applications can use those ports. At some point you have to realize that your taking a risk when you open a port so in the end it's about balancing business need and mitigating the risk as much as possible.

I have a question:

how to create a rule like the bro said "My policy allows all outbound ftp connections."

I am using SEP12.1, I can not find out a setting about allowing FTP connections.

But it doesn't matter.

Since this bro solved his problem by configuring IE using FTP Active mode. His FTP Passive mode traffic still got blocked, means his policy is not for FTP Passive mode.

I know how to set up IE (or other software) using FTP Active mode because I am an IT guy.

But my colleagues don't know.  and they don't even want to learn if not very necessary.

So the problem still exists.

 

you have to collect all version and all kinds of sofewares that clents used for FTP transferring.

otherwise you have to tell them using a specific software for FTP transferring.

it seems just to be a compromise way.

anyway, thanks a lot.

no one can find out a better solution?

up from myself. hope someone can help me.

Don't see how to do it. The FTP data stream cannot be identified by IP address or ports. The SEP firewall just doesn't have a tracking mode for passive FTP.

thatdude's proposal seems to be the best you can do. BTW, with SEP's Application Learning feature you can gather the FTP clients in your environment quite easily -- together with their MD5 hashes.

You can launch a suggestion in the idea section.

Still waiting for a good solution