[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1360
  • Last Modified:

FTP access to server behind WatchGuard Firebox

Is it possible to open the ftp port (21) to just one server behind the firebox?  We have vendors that will be dropping off files in an ftp server that we will be hosting.  I'd like to open port 21 on the firebox but in a way that doesn't open the port to all other servers behind the firebox.  
0
mansurw02
Asked:
mansurw02
  • 3
  • 3
1 Solution
 
dpk_walCommented:
When you open service on any port on the firewall only that specific port/protocol is allowed to the internal machine; so in your case if you use FTP proxy and allow the inbound traffic for FTP that would come in to that server only and no other internal machine. Also, all other traffic would be denied.

Please note if the attacker or remote user is intelligent enough to send FTP traffic and in that hide another traffic then other traffic would also reach the internal server; doing so is however bit tough and would need a lot of expertise. Normally you would never hit this scenario.

So go ahead and open the FTP service to just the needed server and thigs should be good.

Thank you.
0
 
mansurw02Author Commented:
I set up an ftp server behind the watchguard and tried opening up the port just to one of the internal server, the ftp server.  (ie.  From: Any, To: a specific internal host address)  I was not able to connect to it until I finally configured the ftp port as Any/Any.  I'm assuming this isn't the best practice.
0
 
dpk_walCommented:
Yes, you should not have from/to as any/any on any service; you should rather have:
From ANY or specific IP/subnet (if applicable)
To public-ip-or-external-ip->internal-ip [static NAT]; or public-IP [public IP of 1-1 NAT]

This should work; can you check and update.

Thank you.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
mansurw02Author Commented:
I set To public-IP (from whatismyip.com) and it worked great.  As I am relatively new in this position, how do I check if the public IP is static or if it is dynamic?  I know the internal IP is static but I am not sure about the public IP as it differs from the Firebox external IP.  I don't want to have to keep updating the firewall policy whenever I reboot the ftp server.
0
 
dpk_walCommented:
In Policy Manager go to Network->Configuration; if you have the IP on external configured as static further also have secondary network or aliases configured then you have static IP; you can always call up your ISP and check with them if they have provided static IP or what is the service they are providing.

Thank you.
0
 
mansurw02Author Commented:
Thank you!  Everything works great.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now