AFM and FTP

Question

Hi,&nbsp;
I need to autorize FTP (via AFM) on the global context, but how to handle the dynamic port negociation between client and server ?&nbsp;
Best regards,&nbsp;

zdenda · Answer

Hi, I am also wondering and it looks the only way is to create standard VIP with FTP profile binded and attache there AFM policy .. ?
I have 2 forwarding VIPs per subnet (in/out) and I would appreciate if there is any way how to open FTP just by adding new rule into AFM policy and not to create new VIP for each FTP server.&nbsp;
If you have any tips how to handle FTP in AFM, please share.&nbsp;
Thanks
Zdenek&nbsp;

nitass · Answer

I need to autorize FTP (via AFM) on the global context, but how to handle the dynamic port negociation between client and server ?&nbsp;

as long as ftp control channel is allowed, global or route domain context won't drop/reject ftp data channel.&nbsp;
there is a bug about global or route domain context action in 11.5.0 which is fixed in 11.5.1 hf4 and 11.6.0.&nbsp;
ID456107 [Network Firewall] If AFM rule action (at global or rtdom contexts) is Drop/reject, LTM overrides this action for EPHEMERAL connections (such as FTP data channel) without any visibility&nbsp;

Forum Discussion

AFM and FTP

2 Replies

Recent Discussions

google-visualization-issues

Advise on setting up IRULE

google autenticator broken barcode

Port Group on F5OS network setting

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

Protecting the F5 BIG-IP AFM system with AFM Protocol Inspection System Checks

Enriching AFM with public domain Threat Intelligence

Traffic Intelligence in AFM through Categories

BIG-IP AFM設定例-NAT

BIG-IP Advanced Firewall Manager (AFM) DNS NXDOMAIN Query Attack Type Walkthrough - part two