Question : FTPS through a NAT – Watchguard Firewall – How to make it work?
I have a Watchguard Firewall and have been asked to implement ftps. I have ftps going, works fine when connecting direct. However, my Watchguard firewall NAT’ing scheme seems to blow it up. Can’t connect across the firewall.
I’ve tried the 1-to-1 NAT settings where I map the ftp server to an IP on the firewall and allow everyting to it (the ‘ANY’ filter). I’ve tried the ftp proxy, regular ftp filters, etc. I’m not getting denied, and I can connect to the server, but it hangs on the TLS AUTH command.
Any ideas on how to make ftps work through my firewall? Anyone done this on a Watchguard (fireware 8.3)?
Note again that ftp works, sftp/ssh works–everything except ftps. I have a specific need for ftps.
Solution: FTPS through a NAT – Watchguard Firewall – How to make it work?
Ah. I did a search on “SSL session NOT set for reuse” and found a few hits.
It appears that Watchguard know that FTP is on port 21 and is examining each packet and gets upset when it sees something that is NOT plain text FTP. So the firewall is either getting upset with the AUTH TLS command or getting upset when it sees an encrypted packet.
The suggestions I have seen are:
1) Don’t tell Watchguard that port 21 is FTP. Defined it as just “TCP”.
2) Setup the SSL FTP server to use another port for control sessions and define it to Watchguard as TCP.
3) Move the SSL FTP server so that it is in front of the firewall.
4) Test using implicit SSL FTP, which never goes through clear text to encrypted changes. However implicit SSL has been deprecated and so it is going away (in the next few decades is my guess).
