Use Case: Identifying Passive FTPv6 Traffic and Applying FTP Firewall Rules

In this scenario, Passive FTPv6 mode uses random port numbers for data transfer, making it challenging to identify FTP traffic as it does not use standard ports 20 and 21. An efficient Deep Packet Inspection (DPI) solution is required to detect passive FTPv6 traffic and apply appropriate firewall rules for allowing or denying access.

The release 5.4 supports application identification for both FTPv4/FTPv6 Active and Passive modes when using VMware SD-WAN service. This enables customers to easily identify and permit passive FTPv6 traffic using a generic FTP firewall rule. This streamlined process benefits the customer by simplifying the management of FTPv6 traffic while ensuring secure and controlled access.

Steps to configure a firewall rule matching the FTP application at the Edge level:

1. In the SD-WAN service of the Enterprise portal, go to Configure > Edges. The Edges page displays the existing Edges.
2. Select an Edge to configure a firewall rule matching the FTP application, and click the Firewall tab.
3. Go to the Configure Firewall section and under Firewall Rules area, click + NEW RULE. The Configure Rule dialog box appears.
4. In the Rule Name text box, enter a unique name for the Rule.
5. In the Match section, from the Applications drop-down menu select Define. This allows you to select the Application Category and Application to apply a specific firewall rule.

   

6. From the Application Category menu, select File Sharing, and from the Application drop-down menu select either File Transfer Protocol (for Control connection) or File Transfer Protocol Data (for Data connection).
7. Click Create. A firewall rule matching the FTP application is created at the Edge level and it appears in the Firewall Rules area as shown in the following screenshot.