Ftp Inspection Overview - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
FTP Inspection
•
•
FTP Inspection Overview
The FTP application inspection inspects the FTP sessions and performs four tasks:
•
•
•
•
FTP application inspection prepares secondary channels for FTP data transfer. Ports for these channels
are negotiated through PORT or PASV commands. The channels are allocated in response to a file
upload, a file download, or a directory listing event.
If you disable FTP inspection engines with the no inspect ftp command, outbound users can start
Note
connections only in passive mode, and all inbound FTP is disabled.
Using the strict Option
Using the strict option with the inspect ftp command increases the security of protected networks by
preventing web browsers from sending embedded commands in FTP requests.
Note
To specify FTP commands that are not permitted to pass through the security appliance, create an FTP
map according to the
section on page
After you enable the strict option on an interface, FTP inspection enforces the following behavior:
•
•
•
Using the strict option may cause the failure of FTP clients that are not strictly compliant with FTP
Caution
RFCs.
If the strict option is enabled, each FTP command and response sequence is tracked for the following
anomalous activity:
•
•
Cisco Security Appliance Command Line Configuration Guide
25-26
Configuring an FTP Inspection Policy Map for Additional Inspection Control, page 25-27
Verifying and Monitoring FTP Inspection, page 25-30
Prepares dynamic secondary data connection
Tracks the FTP command-response sequence
Generates an audit trail
Translates the embedded IP address
"Configuring an FTP Inspection Policy Map for Additional Inspection Control"
25-27.
An FTP command must be acknowledged before the security appliance allows a new command.
The security appliance drops connections that send embedded commands.
The 227 and PORT commands are checked to ensure they do not appear in an error string.
Truncated command—Number of commas in the PORT and PASV reply command is checked to
see if it is five. If it is not five, then the PORT command is assumed to be truncated and the TCP
connection is closed.
Incorrect command—Checks the FTP command to see if it ends with <CR><LF> characters, as
required by the RFC. If it does not, the connection is closed.
Chapter 25
Configuring Application Layer Protocol Inspection
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
