Cisco Cisco Web Security Appliance S670 Troubleshooting Guide
Question:
What types of FTP proxy does the WSA support?
Currently on the Cisco Web Security Appliance (WSA), we support three methods of FTP proxy.
FTP over HTTP
•
FTP over HTTP Tunneling
•
Native FTP
•
These methods use different techniques to communicate. Below are some details:
FTP over HTTP
This method is commonly used by web browsers (IE, Firefox, Opera). It is rather a unique technique where
"Client −> WSA" communication is done purely in HTTP, and "WSA −> Internet" uses FTP to
communicate. Once the WSA receives its response from the FTP server, the WSA determines whether the
requested object is a directory or a file. If the object being accessed is a directory, the WSA would compose a
directory listing written in HTML which is then forwarded to the client. If the requested object is a file, the
WSA would download the file, and stream it to the client.
"Client −> WSA" communication is done purely in HTTP, and "WSA −> Internet" uses FTP to
communicate. Once the WSA receives its response from the FTP server, the WSA determines whether the
requested object is a directory or a file. If the object being accessed is a directory, the WSA would compose a
directory listing written in HTML which is then forwarded to the client. If the requested object is a file, the
WSA would download the file, and stream it to the client.
Below is an example of what you would see in access log for "FTP over HTTP"
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
1219138948.126 18058 192.168.10.100 TCP_MISS/200 1993 GET ftp://ftp.example.com/ −
DIRECT/ftp.example.com text/html DEFAULT_CASE−FTPACCESS <nc,ns,0,−,−,−,−,0,−,−,−,−,−>
1219138948.126 18058 192.168.10.100 TCP_MISS/200 1993 GET ftp://ftp.example.com/ −
DIRECT/ftp.example.com text/html DEFAULT_CASE−FTPACCESS <nc,ns,0,−,−,−,−,0,−,−,−,−,−>
FTP over HTTP Tunneling
This method requires you to allow majority of the ports under "Web Security Manager" > "Web Access
Policies" > "Applications" > "HTTP CONNECT Ports". Typically FTP servers should open ports between
49152 − 65535, but in a lot of cases, they would use ports 1024 − 65535. These ports would be used when
FTP client issues "PASV" command when establishing it's data channel.
Policies" > "Applications" > "HTTP CONNECT Ports". Typically FTP servers should open ports between
49152 − 65535, but in a lot of cases, they would use ports 1024 − 65535. These ports would be used when
FTP client issues "PASV" command when establishing it's data channel.
If everything goes well, you would see two entries in your access log
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
1219137634.898 10707 192.168.10.100 TCP_MISS/0 160 CONNECT ftp.example.com:21/ −
DIRECT/ftp.example.com − DEFAULT_CASE−FTPACCESS <nc,ns,0,−,−,−,−,0,−,−,−,−,−> −
1219137698.512 287 192.168.10.100 TCP_MISS/0 240 CONNECT 192.168.10.10:57918/ −
DIRECT/192.168.10.10 text/plain DEFAULT_CASE−FTPACCESS <nc,ns,0,−,−,−,−,0,−,−,−,−,−> −
DIRECT/ftp.example.com − DEFAULT_CASE−FTPACCESS <nc,ns,0,−,−,−,−,0,−,−,−,−,−> −
1219137698.512 287 192.168.10.100 TCP_MISS/0 240 CONNECT 192.168.10.10:57918/ −
DIRECT/192.168.10.10 text/plain DEFAULT_CASE−FTPACCESS <nc,ns,0,−,−,−,−,0,−,−,−,−,−> −
The above logs show that both control channel (first log line) and data channel (second log line) has
successfully established.
successfully established.
Filezilla is one example of an application which supports this kind of transaction. To enable this feature on
Filezilla, please go under:
Filezilla, please go under: