LTM FTP LB v10

I personally didn't run into any issues when I migrated - are you worried about inbound FTP or outbound?

mostly inbound, but outbound as well.

 

 

We use a mix of active and passive ftp and also dont use SNAT and are inline with the ftp servers. The KB shows an example of changed behaviour, i just wanna confirm nothing breaks

 

 

https://support.f5.com/kb/en-us/solutions/public/11000/400/sol11460.html

 

 

In v9 we had 3 vips configured an external facing inbound port 21 vip, a server facing backend wildcard:21 and a wildcard:all vip.

 

 

we were using solution articles to build our outbound and inbound vips

 

 

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_4implementation/BIG-IP_9_4_Implementation_Gd-15-1.html

 

https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8021.html

 

 

 

Posted By tidenz on 06/29/2010 07:08 PM

 

mostly inbound, but outbound as well.

 

 

We use a mix of active and passive ftp and also dont use SNAT and are inline with the ftp servers. The KB shows an example of changed behaviour, i just wanna confirm nothing breaks

 

 

https://support.f5.com/kb/en-us/solutions/public/11000/400/sol11460.html

 

 

In v9 we had 3 vips configured an external facing inbound port 21 vip, a server facing backend wildcard:21 and a wildcard:all vip.

 

 

we were using solution articles to build our outbound and inbound vips

 

 

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_4implementation/BIG-IP_9_4_Implementation_Gd-15-1.html

 

https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8021.html

 

 

 

 

 

Shall I assume you have the "ftp" profile bound to all the above?

Hi Chris,

 

 

Yes we do have the FTP profile bound but it is configured for port zero in the data port.

 

 

As an update we have upgraded our qual test F5 and FTP behaviour has changed. In 9.4.7 the front and rear PORT commands were identical, in 10.1 HF1 it looks like the F5 is proxying the connections on the back and front on different ports.

 

 

it works but our firewalls are triggering an FTP bounce attack alert.

 

Posted By tidenz on 07/01/2010 02:41 PM

 

Hi Chris,

 

 

Yes we do have the FTP profile bound but it is configured for port zero in the data port.

 

 

As an update we have upgraded our qual test F5 and FTP behaviour has changed. In 9.4.7 the front and rear PORT commands were identical, in 10.1 HF1 it looks like the F5 is proxying the connections on the back and front on different ports.

 

 

it works but our firewalls are triggering an FTP bounce attack alert.

 

 

 

Why have port 0 and not FTP port?

the ftp server is setup to use a random port to establish an outbound data connection (this has always been the case) and dont ask me how it works on the other end firewall.

 

 

But further to this it looks like some stuff is rewritten on the front going to the client but not all.

 

 

I am seeing 150 RESPONSE messages in the control channel on the front not re-wrtitten to match the port used on the front to client.

 

For future reference, I think you can disable CMP on the FTP virtual(s) to prevent TMM from changing the ports. There are a couple of related requests for enhancement/solution requests for this:

 

 

BZ393813 - RFE: Enhance passive mode FTP security by explicitly specifying the allowed data port range

 

BZ394805 - LTM v10.2.3 New solution request for ftp data connection may change port

 

 

Aaron

For future reference, I think you can disable CMP on the FTP virtual(s) to prevent TMM from changing the ports. There are a couple of related requests for enhancement/solution requests for this:

 

 

BZ393813 - RFE: Enhance passive mode FTP security by explicitly specifying the allowed data port range

 

BZ394805 - LTM v10.2.3 New solution request for ftp data connection may change port

 

 

Aaron

For future reference, I think you can disable CMP on the FTP virtual(s) to prevent TMM from changing the ports. There are a couple of related requests for enhancement/solution requests for this:

 

 

BZ393813 - RFE: Enhance passive mode FTP security by explicitly specifying the allowed data port range

 

BZ394805 - LTM v10.2.3 New solution request for ftp data connection may change port

 

 

Aaron

For future reference, I think you can disable CMP on the FTP virtual(s) to prevent TMM from changing the ports. There are a couple of related requests for enhancement/solution requests for this:

 

 

BZ393813 - RFE: Enhance passive mode FTP security by explicitly specifying the allowed data port range

 

BZ394805 - LTM v10.2.3 New solution request for ftp data connection may change port

 

 

Aaron