FTP to proxy transformation (AV content inspection)

Question

Hello,&nbsp;
&nbsp;would it be possible for an iRule to intercept pure FTP traffic from clients, transform it to proxy format, and redirect to a an FTP content inspection antivirus server?&nbsp;
&nbsp;Example:&nbsp;
&nbsp;1) client opens a new FTP connection to a remote server
&nbsp;2) BigIP intercepts the connection, transform the request to proxy format (changes the username:password to username:password@domain and whatever needed to fit it to a regular proxy request)
&nbsp;3) BigIP redirects the request (now in proxy format) to the FTP Contect Inspection Server, or pool.
&nbsp;4) FTP Content Inspection Server receives the connection, open the new connection (acting as a proxy) to the destination server, inspects the data, and send it back to the client.&nbsp;
&nbsp;The redirection to a pool is simple. The problem is the proxy transformation...&nbsp;&nbsp;
&nbsp;Thanks,&nbsp;
&nbsp; Oswaldo&nbsp;

colin_walker_12 · Answer

Oswaldo,&nbsp;
&nbsp;Depending on the exact transformations that need to occur, this should be possible...though likely not trivial.&nbsp;
&nbsp;With iRules you have the ability to read the entire header and payload and make granular changes to the contents.  Something like altering the username/password format is absolutely possible.&nbsp;
&nbsp;Since I've never tried this, I can't say exactly what it would take, but if you have the requirements of the proxy connection and the FTP connection, that's probably a good place to start.  If you can map out each change that needs to be made, you can probably find some iRules commands to allow you to make the change.&nbsp;
&nbsp;I would wager identifying all of the proper changes that need to be made is half the battle.  This sounds like an interesting project.  Make sure to keep us updated on your progress, and any questions you might have on specific rule functionality.&nbsp;
&nbsp;Thanks!
&nbsp;-Colin

oswaldo_gomes_1 · Answer

Hello,&nbsp;
&nbsp;the FTP content inspection server needs the following changes:&nbsp;
&nbsp;- Change the username to username@host&nbsp;
&nbsp;This is the error message from the content inspection server (if I telnet on port 21):&nbsp;
&nbsp;530 Log in first by USER user@host&nbsp;&nbsp;
&nbsp;So, if I am trying to connect to a FTP server 200.181.11.65, using user "oswaldo" and password "test123", the username has to be changed from "oswaldo" to "oswaldo@200.181.11.65". The password remains the same...&nbsp;
&nbsp;This username transformation is the first step to make this work... I will try some iRules and post here soon...&nbsp;
&nbsp;Thanks,&nbsp;
&nbsp; Oswaldo

george_dimitria · Answer

We have also the same requirement...Sounds like and interesting task....&nbsp;
&nbsp;Anyone done any work on that.....&nbsp;&nbsp;

Forum Discussion

FTP to proxy transformation (AV content inspection)

Recent Discussions

Help needed with iRule (connection closed log )

AS3 Limitations

Use of SSL Decryption.

VLAN Failsafe Functionality

FTP PASV mode to Extended Passive mode

Related Content

Help F5 Transform the BIG-IP Administrator Certification

Let's Talk InfoSec Transformation

Accelerating Digital Transformation in Banking and Financial Services

AFM Protocol Inspection rules for CVE-2022-3602 (aka SpookySSL)

Inspecting a UCS file from a compromised BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS