mansurw02
asked on
FTP access to server behind WatchGuard Firebox
Is it possible to open the ftp port (21) to just one server behind the firebox? We have vendors that will be dropping off files in an ftp server that we will be hosting. I'd like to open port 21 on the firebox but in a way that doesn't open the port to all other servers behind the firebox.
ASKER
I set up an ftp server behind the watchguard and tried opening up the port just to one of the internal server, the ftp server. (ie. From: Any, To: a specific internal host address) I was not able to connect to it until I finally configured the ftp port as Any/Any. I'm assuming this isn't the best practice.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I set To public-IP (from whatismyip.com) and it worked great. As I am relatively new in this position, how do I check if the public IP is static or if it is dynamic? I know the internal IP is static but I am not sure about the public IP as it differs from the Firebox external IP. I don't want to have to keep updating the firewall policy whenever I reboot the ftp server.
In Policy Manager go to Network->Configuration; if you have the IP on external configured as static further also have secondary network or aliases configured then you have static IP; you can always call up your ISP and check with them if they have provided static IP or what is the service they are providing.
Thank you.
Thank you.
ASKER
Thank you! Everything works great.
Please note if the attacker or remote user is intelligent enough to send FTP traffic and in that hide another traffic then other traffic would also reach the internal server; doing so is however bit tough and would need a lot of expertise. Normally you would never hit this scenario.
So go ahead and open the FTP service to just the needed server and thigs should be good.
Thank you.