Hi Guys, I have done a quick search and didnt come up with anything related to v10 and FTP active or passive. I am looking for some docs on active and passive FTP config docs for LTM 10.1.0 . There are a lot of V9 configs but i have heard there are changes in V10 that effect FTP. We are looking to upgrade to V10.1.0 and i would like to cover any potential issues we could run into. Thanks in advance.

I personally didn't run into any issues when I migrated - are you worried about inbound FTP or outbound?

mostly inbound, but outbound as well. We use a mix of active and passive ftp and also dont use SNAT and are inline with the ftp servers. The KB shows an example of changed behaviour, i just wanna confirm nothing breaks https://support.f5.com/kb/en-us/solutions/public/11000/400/sol11460.html In v9 we had 3 vips configured an external facing inbound port 21 vip, a server facing backend wildcard:21 and a wildcard:all vip. we were using solution articles to build our outbound and inbound vips https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_4implementation/BIG-IP_9_4_Implementation_Gd-15-1.html https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8021.html

Posted By tidenz on 06/29/2010 07:08 PM mostly inbound, but outbound as well. We use a mix of active and passive ftp and also dont use SNAT and are inline with the ftp servers. The KB shows an example of changed behaviour, i just wanna confirm nothing breaks https://support.f5.com/kb/en-us/solutions/public/11000/400/sol11460.html In v9 we had 3 vips configured an external facing inbound port 21 vip, a server facing backend wildcard:21 and a wildcard:all vip. we were using solution articles to build our outbound and inbound vips https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_4implementation/BIG-IP_9_4_Implementation_Gd-15-1.html https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8021.html Shall I assume you have the "ftp" profile bound to all the above?

Hi Chris, Yes we do have the FTP profile bound but it is configured for port zero in the data port. As an update we have upgraded our qual test F5 and FTP behaviour has changed. In 9.4.7 the front and rear PORT commands were identical, in 10.1 HF1 it looks like the F5 is proxying the connections on the back and front on different ports. it works but our firewalls are triggering an FTP bounce attack alert.

Posted By tidenz on 07/01/2010 02:41 PM Hi Chris, Yes we do have the FTP profile bound but it is configured for port zero in the data port. As an update we have upgraded our qual test F5 and FTP behaviour has changed. In 9.4.7 the front and rear PORT commands were identical, in 10.1 HF1 it looks like the F5 is proxying the connections on the back and front on different ports. it works but our firewalls are triggering an FTP bounce attack alert. Why have port 0 and not FTP port?

LTM FTP LB v10 | DevCentral

11 Replies

Chris_Miller
Altostratus
Jun 29, 2010
I personally didn't run into any issues when I migrated - are you worried about inbound FTP or outbound?
tidenz_92110
Nimbostratus
Jun 30, 2010
mostly inbound, but outbound as well.

We use a mix of active and passive ftp and also dont use SNAT and are inline with the ftp servers. The KB shows an example of changed behaviour, i just wanna confirm nothing breaks

https://support.f5.com/kb/en-us/solutions/public/11000/400/sol11460.html

In v9 we had 3 vips configured an external facing inbound port 21 vip, a server facing backend wildcard:21 and a wildcard:all vip.

we were using solution articles to build our outbound and inbound vips

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_4implementation/BIG-IP_9_4_Implementation_Gd-15-1.html

https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8021.html
Chris_Miller
Altostratus
Jun 30, 2010
Posted By tidenz on 06/29/2010 07:08 PM

mostly inbound, but outbound as well.

We use a mix of active and passive ftp and also dont use SNAT and are inline with the ftp servers. The KB shows an example of changed behaviour, i just wanna confirm nothing breaks

https://support.f5.com/kb/en-us/solutions/public/11000/400/sol11460.html

In v9 we had 3 vips configured an external facing inbound port 21 vip, a server facing backend wildcard:21 and a wildcard:all vip.

we were using solution articles to build our outbound and inbound vips

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_4implementation/BIG-IP_9_4_Implementation_Gd-15-1.html

https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8021.html

Shall I assume you have the "ftp" profile bound to all the above?
tidenz_92110
Nimbostratus
Jul 01, 2010
Hi Chris,

Yes we do have the FTP profile bound but it is configured for port zero in the data port.

As an update we have upgraded our qual test F5 and FTP behaviour has changed. In 9.4.7 the front and rear PORT commands were identical, in 10.1 HF1 it looks like the F5 is proxying the connections on the back and front on different ports.

it works but our firewalls are triggering an FTP bounce attack alert.
Chris_Miller
Altostratus
Jul 02, 2010
Posted By tidenz on 07/01/2010 02:41 PM

Hi Chris,

Yes we do have the FTP profile bound but it is configured for port zero in the data port.

As an update we have upgraded our qual test F5 and FTP behaviour has changed. In 9.4.7 the front and rear PORT commands were identical, in 10.1 HF1 it looks like the F5 is proxying the connections on the back and front on different ports.

it works but our firewalls are triggering an FTP bounce attack alert.

Why have port 0 and not FTP port?
tidenz_92110
Nimbostratus
Jul 05, 2010
the ftp server is setup to use a random port to establish an outbound data connection (this has always been the case) and dont ask me how it works on the other end firewall.

But further to this it looks like some stuff is rewritten on the front going to the client but not all.

I am seeing 150 RESPONSE messages in the control channel on the front not re-wrtitten to match the port used on the front to client.
hoolio
Cirrostratus
Sep 05, 2012
For future reference, I think you can disable CMP on the FTP virtual(s) to prevent TMM from changing the ports. There are a couple of related requests for enhancement/solution requests for this:

BZ393813 - RFE: Enhance passive mode FTP security by explicitly specifying the allowed data port range

BZ394805 - LTM v10.2.3 New solution request for ftp data connection may change port

Aaron
hoolio
Cirrostratus
Sep 05, 2012
For future reference, I think you can disable CMP on the FTP virtual(s) to prevent TMM from changing the ports. There are a couple of related requests for enhancement/solution requests for this:

BZ393813 - RFE: Enhance passive mode FTP security by explicitly specifying the allowed data port range

BZ394805 - LTM v10.2.3 New solution request for ftp data connection may change port

Aaron
hoolio
Cirrostratus
Sep 05, 2012
For future reference, I think you can disable CMP on the FTP virtual(s) to prevent TMM from changing the ports. There are a couple of related requests for enhancement/solution requests for this:

BZ393813 - RFE: Enhance passive mode FTP security by explicitly specifying the allowed data port range

BZ394805 - LTM v10.2.3 New solution request for ftp data connection may change port

Aaron
hoolio
Cirrostratus
Sep 05, 2012
For future reference, I think you can disable CMP on the FTP virtual(s) to prevent TMM from changing the ports. There are a couple of related requests for enhancement/solution requests for this:

BZ393813 - RFE: Enhance passive mode FTP security by explicitly specifying the allowed data port range

BZ394805 - LTM v10.2.3 New solution request for ftp data connection may change port

Aaron