Manual Chapter : Enabling FTPS on the FTP ALG Profile

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1
Manual Chapter

Enabling FTPS on the FTP ALG Profile

Overview: Enabling FTPS on the FTP ALG profile

When creating an FTP application layer gateway (ALG) profile, you can enable file transfer protocol secure (FTPS) to allow FTP clients to issue the authentication transport layer security (AUTH TLS) or AUTH secure socket layer (SSL) commands, and encrypt FTP traffic between the client and server for that connection. The BIG-IP system switches the connection to pass through mode, but does not participate in the encryption process.

About the FTP ALG profile with FTPS enabled

When configuring the FTP application layer gateway (ALG) profile, after enabling File Transfer Protocol Secure (FTPS), ALG switches to pass-through mode. This allows for an encrypted control connection to proceed. Once the connection is encrypted, it cannot be inspected for control commands, and firewall policies cannot be applied to the contents of the connection. For this reason, you must configure another virtual server, a wildcard CGNAT virtual server, to support the passive data transfer connections. FTPS only supports passive mode data transfers.
The wildcard and FTP virtual servers must share the same LSN pool, and address persistence must be configured on the pool. This configuration ensures that source address translation is consistent for the control and data connections that make up the file transfer.

Creating an LSN pool

The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
  1. On the Main tab, click
    Carrier Grade NAT
    LSN Pools
    .
    The LSN Pool List screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name.
  4. In the Configuration area, for the
    Persistence Mode
    setting, select
    Address
    or
    Address Port
    .
  5. For the
    Member List
    setting, type an address and a prefix length in the
    Address/Prefix Length
    field, and click
    Add
    .
    If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix
    10.10.10.0/24
    overlaps
    10.10.10.0/23
    .
  6. Click
    Finished
    .

Creating an FTP ALG profile

You can configure a file transfer protocol (FTP) profile on the BIG-IP system that transfers files and messages related to logs. By enabling FTP secure (FTPS), the application layer gateway (ALG) switches to pass-through mode, allowing an encrypted control connection to proceed.
  1. On the Main tab, click
    Carrier Grade NAT
    ALG Profiles
    FTP
    .
    The FTP screen opens and displays a list of available FTP ALG profiles.
  2. Click
    Create
    .
  3. Type a name for the profile.
  4. From the
    Parent Profile
    list, select a parent profile.
  5. Select the
    Custom
    check box.
  6. Select the
    Translate Extended
    check box to ensure compatibility between IPv4 and IPv6 clients and servers when using the FTP protocol.
    The default is selected.
  7. Select the
    Inherit Parent Profile
    check box to enable the FTP data channel to inherit the TCP profile used by the control channel. The check box is clear by default.
    If this setting is disabled, the data channel uses FastL4 (BigProto) only.
  8. In the
    Data Port
    field, type a number for an alternate port.
    The default value for the FTP data port is
    20
    .
  9. In the Settings area, select the
    Allow FTPS
    check box.
  10. In the Log Settings area, from the
    Log Publisher
    list, select the log publisher the BIG-IP system uses to send log messages to a specified destination.
    If you configure a log publisher, you must also configure a Logging Profile.
    If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the
    logpublisher.atomic
    db variable to
    false
    .
  11. From the
    Logging Profile
    list, select the logging profile the BIG-IP system uses to configure logging options for various TFTP events.
    If you configure a Logging Profile, you must also configure a Log Publisher.
  12. Click
    Finished
    .

Creating a virtual server using an FTP ALG profile

Virtual servers are matched based on source (client) addresses. Define a virtual server in order to reference an FTP profile and LSN pool.
  1. On the Main tab, click
    Carrier Grade NAT
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. From the
    Type
    list, retain the default setting
    Standard
    .
  5. For the
    Destination Address/Mask
    setting, confirm that the
    Host
    button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address you type must be available and not in the loopback network.
  6. In the
    Service Port
    field, type
    21
    or select
    FTP
    from the list.
  7. From the
    Protocol
    list, select
    TCP
    .
  8. From the
    Protocol Profile (Client)
    list, select a predefined or user-defined TCP profile.
  9. From the
    Protocol Profile (Server)
    list, select a predefined or user-defined TCP profile.
  10. From the
    FTP Profile
    list, select an FTP ALG profile for the virtual server to use.
  11. For the
    LSN Pool
    setting, select the pool that this server will draw on for addresses.
  12. Locate the Resources area of the screen; for the
    Related iRules
    setting, from the
    Available
    list, select the name of the iRule that you want to assign and move the name to the
    Enabled
    list.
    This setting applies to virtual servers that reference a profile for a data channel protocol, such as FTP or RTSP.
  13. Click
    Finished
    .
The custom CGNAT virtual server appears in the CGNAT Virtual Servers list.

Creating a wildcard virtual server

Create a wildcard virtual server to support passive mode connections. The wildcard virtual server, along with the virtual server attached to an FTP ALG profile, must share the same LSN pool with persistence enabled.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address/Mask
    field, type a wildcard network address in CIDR format, such as
    0.0.0.0/0
    for IPv4 or
    ::/0
    for IPv6, to accept any traffic.
  5. In the
    Service Port
    field, type
    0
    .
    Port
    0
    defines a wildcard virtual server that handles all types of services. If you specify a port number, you create a port-specific wildcard virtual server. In that case, the wildcard virtual server handles traffic only for the specified port.
  6. Click
    Finished
    .

Creating an FTP ALG logging profile

You can create an application layer gateway (ALG) logging profile, and associate it with one or more FTP ALG profiles, to allow you to configure logging options for various events that apply to high-speed logging (HSL) destinations. A logging profile decreases the need to maintain a number of customized profiles where the events are very similar.
  1. On the Main tab, click
    Carrier Grade NAT
    Logging Profiles
    ALG
    .
    The ALG logging profiles screen opens.
  2. On the Main tab, click
    Local Traffic
    Profiles
    Other
    ALG Logging
    .
    The ALG Logging screen opens.
  3. Click
    Create
    .
    The New ALG Logging Profile screen opens.
  4. In the
    Name
    field, type a unique name for the logging profile.
  5. From the
    Parent Profile
    list, select a profile from which the new profile inherits properties.
  6. For the Log Settings area, select the
    Custom
    check box.
  7. For the Log Settings area, select
    Enabled
    for the following settings, as necessary.
    Setting
    Description
    CSV Format
    Generates log entries in comma-separated-values (csv) format.
    Start Control Channel
    Generates event log entries at the start of a control channel connection for an ALG client.
    End Control Channel
    Generates event log entries at the end of a control channel connection for an ALG client.
    Start Data Channel
    Generates event log entries at the start of a data channel connection for an ALG client.
    End Data Channel
    Generates event log entries at the end of a data channel connection for an ALG client.
    Inbound Transaction
    Generates event log entries of ALG messages triggered by an inbound connection to the BIG-IP system.
    Enabling the
    CSV
    check box affects splunk logs because IP addresses are shown as
    ip,port,rtdom
    instead of
    ip%rtdom:port
    . Do not mix log types and only use standard syslog formats.
  8. Click
    Finished
    .