Applies To:
Show VersionsBIG-IP LTM
- 13.0.1, 13.0.0
Overview: Enabling FTPS on the FTP ALG profile
When creating an FTP application layer gateway (ALG) profile, you can enable file transfer protocol secure (FTPS) to allow FTP clients to issue the authentication transport layer security (AUTH TLS) or AUTH secure socket layer (SSL) commands, and encrypt FTP traffic between the client and server for that connection. The BIG-IP® system switches the connection to pass through mode, but does not participate in the encryption process.
Task summary
About the FTP ALG profile with FTPS enabled
When configuring the FTP application layer gateway (ALG) profile, after enabling File Transfer Protocol Secure (FTPS), ALG switches to pass-through mode. This allows for an encrypted control connection to proceed. Once the connection is encrypted, it cannot be inspected for control commands, and firewall policies cannot be applied to the contents of the connection. For this reason, you must configure another virtual server, a wildcard CGNAT virtual server, to support the passive data transfer connections. FTPS only supports passive mode data transfers.
The wildcard and FTP virtual servers must share the same LSN pool, and address persistence must be configured on the pool. This configuration ensures that source address translation is consistent for the control and data connections that make up the file transfer.