This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Log Collector FTPS Passive Configuration

Anonymous
Not applicable
‎2016-09-27 10:45 PM

While working on a solution for collecting logs from a Blue Coat system in a DMZ, we had the requirement that the FTP/FTPS connection needed to traverse a firewall.  The issue that immediately became apparent was that in order to allow the client, using Active FTP/FTPS, to communicate to the Log Collector it would require that almost the entire port range be opened on the firewall to allow the successful communication.  To resolve this, we turned to a Passive FTP/FTPS configuration which would allow us to specify a port range to use for client/Log Collector communication and allow a more acceptable firewall rule.  The explanation below shows how the port assignments work in FTP/FTPS communication.

 

Active FTP/FTPS

Active FTP/FTPS uses random ports to initiate the data channel connection from the Log Collector, this presents a challenge for use through a firewall as you cannot predict which ports the server will use to initiate the data transfer.

                FTP/FTPS Client – Random Port1 --> Port 21 – Log Collector (Communication Channel)

                FTP/FTPS Client – Random Port2 <-- Random Port3 – Log Collector (Data Transfer Channel)

NOTE:  Firewalls that are FTP aware seem to work fine with this random data port communication as they can see the data transfer channel communication coming back from the Log Collector to the client and will allow it.  However when you switch to FTPS the Data Transfer Channel is encrypted and the firewall cannot see that it is a Data Transfer Channel coming back from the Log Collector to the client and will block it.  This is when you have to use Passive FTP/FTPS or open the entire port range to allow the Log Collector initiated Data Transfer Channel to come back to the client.

 

Passive FTP/FTPS

Passive FTP/FTPS uses a defined set of ports for the data channel and the connection is initiated from the client system so that the firewall rules for the ports can be specifically defined instead of random.

                FTP/FTPS Client – Random Port1 --> Port 21 – Log Collector (Communication Channel)

                FTP/FTPS Client – Random Port2 --> Defined Passive Port – Log Collector (Data Transfer Channel)

 

Demonstration of Active FTP/FTPS and Passive Configuration Video

 

This video is currently being processed. Please try again in a few minutes.
(view in My Videos)

 

Passive Configuration Only Video

 

This video is currently being processed. Please try again in a few minutes.
(view in My Videos)

Preview file
22 KB
9 Comments
© 2022 RSA Security LLC or its affiliates. All rights reserved.