Manual Chapter : Enabling FTPS on the FTP ALG Profile

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 13.0.1, 13.0.0
Manual Chapter

Overview: Enabling FTPS on the FTP ALG profile

When creating an FTP application layer gateway (ALG) profile, you can enable file transfer protocol secure (FTPS) to allow FTP clients to issue the authentication transport layer security (AUTH TLS) or AUTH secure socket layer (SSL) commands, and encrypt FTP traffic between the client and server for that connection. The BIG-IP® system switches the connection to pass through mode, but does not participate in the encryption process.

Task summary

About the FTP ALG profile with FTPS enabled

When configuring the FTP application layer gateway (ALG) profile, after enabling File Transfer Protocol Secure (FTPS), ALG switches to pass-through mode. This allows for an encrypted control connection to proceed. Once the connection is encrypted, it cannot be inspected for control commands, and firewall policies cannot be applied to the contents of the connection. For this reason, you must configure another virtual server, a wildcard CGNAT virtual server, to support the passive data transfer connections. FTPS only supports passive mode data transfers.

The wildcard and FTP virtual servers must share the same LSN pool, and address persistence must be configured on the pool. This configuration ensures that source address translation is consistent for the control and data connections that make up the file transfer.

Creating an LSN pool

The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools .
    The LSN Pool List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name.
  4. In the Configuration area, for the Persistence Mode setting, select Address or Address Port.
  5. For the Member List setting, type an address and a prefix length in the Address/Prefix Length field, and click Add.
    If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix 10.10.10.0/24 overlaps 10.10.10.0/23.
  6. Click Finished.

Creating an FTP ALG profile

You can configure a file transfer protocol (FTP) profile on the BIG-IP® system that transfers files and messages related to logs. By enabling FTP secure (FTPS), the application layer gateway (ALG) switches to pass-through mode, allowing an encrypted control connection to proceed.
  1. On the Main tab, click Carrier Grade NAT > ALG Profiles > FTP .
    The FTP screen opens and displays a list of available FTP ALG profiles.
  2. Click Create.
  3. Type a name for the profile.
  4. From the Parent Profile list, select a parent profile.
  5. Select the Custom check box.
  6. Select the Translate Extended check box to ensure compatibility between IPv4 and IPv6 clients and servers when using the FTP protocol.
    The default is selected.
  7. Select the Inherit Parent Profile check box to enable the FTP data channel to inherit the TCP profile used by the control channel. The check box is clear by default.
    Note: If this setting is disabled, the data channel uses FastL4 (BigProto) only.
  8. In the Data Port field, type a number for an alternate port.
    The default value for the FTP data port is 20.
  9. In the Settings area, select the Allow FTPS check box.
  10. In the Log Settings area, from the Log Publisher list, select the log publisher the BIG-IP system uses to send log messages to a specified destination.
    Note: If you configure a log publisher, you must also configure a Logging Profile.
    Important: If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the logpublisher.atomic db variable to false.
  11. From the Logging Profile list, select the logging profile the BIG-IP system uses to configure logging options for various TFTP events.
    Note: If you configure a Logging Profile, you must also configure a Log Publisher.
  12. Click Finished.

Creating a virtual server using an FTP ALG profile

Define a virtual server in order to reference an FTP profile and LSN pool. The virtual server attached to an FTP ALG profile, along with a wildcard server, must share the same LSN pool with persistence enabled.
  1. On the Main tab, click Carrier Grade NAT > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, retain the default setting Standard.
  5. In the Destination Address field, type the IP address in CIDR format, such as 0.0.0.0/0 for IPv4 or ::/0 for IPv6.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
    Note: The IP address you type must be available and not in the loopback network.
  6. In the Service Port field, type 21 or select FTP from the list.
  7. From the Protocol list, select TCP.
  8. From the Protocol Profile (Client) list, select a predefined or user-defined TCP profile.
  9. From the Protocol Profile (Server) list, select a predefined or user-defined TCP profile.
  10. From the FTP Profile list, select an FTP ALG profile for the virtual server to use.
  11. For the LSN Pool setting, select the pool that this server will draw on for addresses.
    Note: You must use the same LSN pool for the wildcard virtual server.
  12. Click Finished.
The custom CGNAT virtual server appears in the CGNAT Virtual Servers list.

Creating a wildcard virtual server

Create a wildcard virtual server to support passive mode connections. The wildcard virtual server, along with the virtual server attached to an FTP ALG profile, must share the same LSN pool with persistence enabled.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type a wildcard network address in CIDR format, such as 0.0.0.0/0 for IPv4 or ::/0 for IPv6, to accept any traffic.
  5. In the Service Port field, type 0.
    Note: Port 0 defines a wildcard virtual server that handles all types of services. If you specify a port number, you create a port-specific wildcard virtual server. In that case, the wildcard virtual server handles traffic only for the specified port.
  6. Click Finished.

Creating an FTP ALG logging profile

You can create an application layer gateway (ALG) logging profile, and associate it with one or more FTP ALG profiles, to allow you to configure logging options for various events that apply to high-speed logging (HSL) destinations. A logging profile decreases the need to maintain a number of customized profiles where the events are very similar.
  1. On the Main tab, click Carrier Grade NAT > Logging Profiles > ALG .
    The ALG logging profiles screen opens.
  2. Click Create.
    The New ALG Logging Profile screen opens.
  3. In the Name field, type a unique name for the logging profile.
  4. From the Parent Profile list, select a profile from which the new profile inherits properties.
  5. For the Log Settings area, select the Custom check box.
  6. For the Log Settings area, select Enabled for the following settings, as necessary.
    Setting Description
    CSV Format Generates log entries in comma-separated-values (csv) format.
    Start Control Channel Generates event log entries at the start of a control channel connection for an ALG client.
    End Control Channel Generates event log entries at the end of a control channel connection for an ALG client.
    Start Data Channel Generates event log entries at the start of a data channel connection for an ALG client.
    End Data Channel Generates event log entries at the end of a data channel connection for an ALG client.
    Inbound Transaction Generates event log entries of ALG messages triggered by an inbound connection to the BIG-IP® system.
    Note: Enabling the CSV check box affects splunk logs because IP addresses are shown as ip,port,rtdom instead of ip%rtdom:port. Do not mix log types and only use standard syslog formats.
  7. Click Finished.