Manual Chapter :
Enabling FTPS on the FTP ALG Profile
Applies To:
Show VersionsBIG-IP LTM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1
Enabling FTPS on the FTP ALG Profile
Overview: Enabling FTPS on the FTP ALG profile
When creating an FTP application layer gateway (ALG) profile, you can enable file transfer
protocol secure (FTPS) to allow FTP clients to issue the authentication transport layer security
(AUTH TLS) or AUTH secure socket layer (SSL) commands, and encrypt FTP traffic between the client
and server for that connection. The BIG-IP system switches the connection
to pass through mode, but does not participate in the encryption process.
About the FTP ALG profile with FTPS enabled
When configuring the FTP application layer gateway (ALG) profile, after enabling File Transfer
Protocol Secure (FTPS), ALG switches to pass-through mode. This allows for an encrypted control
connection to proceed. Once the connection is encrypted, it cannot be inspected for control
commands, and firewall policies cannot be applied to the contents of the connection. For this
reason, you must configure another virtual server, a wildcard CGNAT virtual server, to support
the passive data transfer connections. FTPS only supports passive mode data transfers.
The wildcard and FTP virtual servers must share the same LSN pool, and address persistence must
be configured on the pool. This configuration ensures that source address translation is
consistent for the control and data connections that make up the file transfer.
Creating an LSN pool
The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
- On the Main tab, click.The LSN Pool List screen opens.
- ClickCreate.
- In theNamefield, type a unique name.
- In the Configuration area, for thePersistence Modesetting, selectAddressorAddress Port.
- For theMember Listsetting, type an address and a prefix length in theAddress/Prefix Lengthfield, and clickAdd.If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix10.10.10.0/24overlaps10.10.10.0/23.
- ClickFinished.
Creating an FTP ALG profile
You can configure a file transfer protocol (FTP) profile on the BIG-IP system that transfers files and messages related to logs. By enabling
FTP secure (FTPS), the application layer gateway (ALG) switches to pass-through mode,
allowing an encrypted control connection to proceed.
- On the Main tab, click.The FTP screen opens and displays a list of available FTP ALG profiles.
- ClickCreate.
- Type a name for the profile.
- From theParent Profilelist, select a parent profile.
- Select theCustomcheck box.
- Select theTranslate Extendedcheck box to ensure compatibility between IPv4 and IPv6 clients and servers when using the FTP protocol.The default is selected.
- Select theInherit Parent Profilecheck box to enable the FTP data channel to inherit the TCP profile used by the control channel. The check box is clear by default.If this setting is disabled, the data channel uses FastL4 (BigProto) only.
- In theData Portfield, type a number for an alternate port.The default value for the FTP data port is20.
- In the Settings area, select theAllow FTPScheck box.
- In the Log Settings area, from theLog Publisherlist, select the log publisher the BIG-IP system uses to send log messages to a specified destination.If you configure a log publisher, you must also configure a Logging Profile.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb variable tofalse.
- From theLogging Profilelist, select the logging profile the BIG-IP system uses to configure logging options for various TFTP events.If you configure a Logging Profile, you must also configure a Log Publisher.
- ClickFinished.
Creating a virtual server using an FTP ALG profile
Virtual servers are matched based on source (client) addresses. Define a virtual
server in order to reference an FTP profile and LSN pool.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- From theTypelist, retain the default settingStandard.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theService Portfield, type21or selectFTPfrom the list.
- From theProtocollist, selectTCP.
- From theProtocol Profile (Client)list, select a predefined or user-defined TCP profile.
- From theProtocol Profile (Server)list, select a predefined or user-defined TCP profile.
- From theFTP Profilelist, select an FTP ALG profile for the virtual server to use.
- For theLSN Poolsetting, select the pool that this server will draw on for addresses.
- Locate the Resources area of the screen; for theRelated iRulessetting, from theAvailablelist, select the name of the iRule that you want to assign and move the name to theEnabledlist.This setting applies to virtual servers that reference a profile for a data channel protocol, such as FTP or RTSP.
- ClickFinished.
The custom CGNAT virtual server appears in the CGNAT Virtual Servers list.
Creating a wildcard virtual server
Create a wildcard virtual server to support passive mode connections. The wildcard
virtual server, along with the virtual server attached to an FTP ALG profile, must share
the same LSN pool with persistence enabled.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type a wildcard network address in CIDR format, such as0.0.0.0/0for IPv4 or::/0for IPv6, to accept any traffic.
- In theService Portfield, type0.Port0defines a wildcard virtual server that handles all types of services. If you specify a port number, you create a port-specific wildcard virtual server. In that case, the wildcard virtual server handles traffic only for the specified port.
- ClickFinished.
Creating an FTP ALG logging profile
You can create an application layer gateway (ALG) logging profile, and associate it
with one or more FTP ALG profiles, to allow you to configure logging options for various
events that apply to high-speed logging (HSL) destinations. A logging profile decreases
the need to maintain a number of customized profiles where the events are very
similar.
- On the Main tab, click.The ALG logging profiles screen opens.
- On the Main tab, click.The ALG Logging screen opens.
- ClickCreate.The New ALG Logging Profile screen opens.
- In theNamefield, type a unique name for the logging profile.
- From theParent Profilelist, select a profile from which the new profile inherits properties.
- For the Log Settings area, select theCustomcheck box.
- For the Log Settings area, selectEnabledfor the following settings, as necessary.SettingDescriptionCSV FormatGenerates log entries in comma-separated-values (csv) format.Start Control ChannelGenerates event log entries at the start of a control channel connection for an ALG client.End Control ChannelGenerates event log entries at the end of a control channel connection for an ALG client.Start Data ChannelGenerates event log entries at the start of a data channel connection for an ALG client.End Data ChannelGenerates event log entries at the end of a data channel connection for an ALG client.Inbound TransactionGenerates event log entries of ALG messages triggered by an inbound connection to the BIG-IP system.Enabling theCSVcheck box affects splunk logs because IP addresses are shown asip,port,rtdominstead ofip%rtdom:port. Do not mix log types and only use standard syslog formats.
- ClickFinished.