[membree]

FTP over TLS is not recognizable as FTP by VPN-1 because the control traffic is encrypted. The solution is to create a FTP control service but do not specify a Protocol Type, or specify the type "FTP_BASIC", and explicitly allow any required data ports.

Since the firewall can't decrypt FTPS control traffic, it can't dynamically allow the required ports for FTP data inbound or outbound so we only allow PASV FTPS and have configured our FTPS servers for a specific range of PASV DATA ports that are explicitly allowed by the rule.


The new FTPS standard is very Firewall unfriendly, it is too bad that the opportinity wasn't taken to fix the FTP protocol so that it was firewall friendly.