Description:

This article describes how to set up the FTP proxy or Application Management for the FTP protocol.

Requirements:

  • LANCOM R&S®Unified Firewall with LCOS FX as of version 10.3
  • Web browser for configuring the Unified Firewall.

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox

Procedure

With LANCOM Unified Firewalls, the ALG for the FTP protocol is automatically activated (Conntrack Helper) when a firewall rule is created for TCP port 21.

If possible, the FTP protocol should only be allowed for selected network users who need it.

When using FTP, LANCOM Systems recommends that you additionally set up the FTP proxy or “Application Management” for the FTP protocol:

1. Configuring the "Application Filter":

For verification by the Application Management, a separate host or network object has to be created containing only the protocol FTP together with a custom protocol for FTP data. The Application Management is then applied to FTP for this object only. 

1.1) Open the configuration of the Unified Firewall in a web browser, switch to the menu Desktop → Services → User-defined Services and click on the “+” icon to create a new service for FTP data transfer.

1.2) Give it a descriptive name and click on the “+” icon to specify the Ports and Protocols.

1.3) Enter the ports 30000 to 65535 and select the TCP protocol. Then click on OK.

  • The availability of the opened ports is regulated in the further course of the configuration by using the application filter (see steps 1.15ff).
  • The ports stored here are used for FTP data transfer. Make sure that these ports (or a subset of them) are also stored in your FTP client.

1.4) Click Create to create the service.

1.5) In the configuration of the Unified Firewall, navigate to the menu UTM → Application Management → Settings.

1.6) Enable Application Management with the slider button and click Save.

1.7) Open the menu UTM → Application Management → Filter Profiles.

1.8) Enter a descriptive profile name, activate the protocol FTP and click Create.

In the filter field, enter the search term ftp to help you find the FTP protocol faster.

1.9) On the desktop, click the host or network object for which communication via FTP is allowed, select the connection tool and click on the Internet object to view the firewall rules.

1.10) For the entry FTP,  click the trash-can icon to remove the protocol from this rule.

1.11) Then click on Save.

1.12) Click the icon for Create a host, or for Create a network if FTP should be allowed for the entire network.

1.13) Modify the following parameters and then click Create:

  • Name: Enter a descriptive name. This must not be the same as the name of the existing object.
  • Interface: Select the interface that the host or network is connected to.
  • IP address: Enter the IP address of the existing host or the network address of the existing network.

1.14) Click the host or network object created in step 1.13, select the connection tool and click the Internet object to view the firewall rules.

1.15) Add the FTP protocol as well as the service for the FTP data (in this example FTP-Data) created in steps 1.1 - 1.4.

Use the filter field to help you find the services faster.

 

1.16) Click on the tab Application Filter.

1.17) Select the option Whitelist and add the filter profile created in step 1.8.

 

1.18) Click on Create.

1.19) Finally, implement the changes by clicking Activate.


2. Setting up the FTP proxy: 

The use of the FTP proxy requires an active and working HTTP proxy.

2.1) On the desktop, click the host or network object for which communication via FTP is allowed, select the connection tool and click on the Internet object to view the firewall rules.

2.2) Under the Options for FTP, click on NAT to access the advanced settings.

2.3) Next to Proxy, check the box next to Enable proxy for this service and click OK.

2.4) Click Save to accept the change.

2.5) Finally, implement the changes by clicking Activate.