I want to start with I am a novice and still learning about Networking in general.

We have recently set up a Filezilla Enterprise Pro FTP server. To get it functioning through the FW i created a policy to allow the passive ports using suggested FZ ports, 49152 - 65534.

For some reason, when the policy is enabled on the FW, our IPSec tunnel will not allow connections as the public IP can no longer be found. If I disable the FTP policy, everyone can connect fine after a few minutes, and enabling the policy after they are reconnected does not kick anyone off.

As IPSec should be using different ports I am at a loss and honestly I just don’t know enough to continue troubleshooting. Thanks in advance for any advice.

2 Spice ups

That’s quite a large range.

What port is the FTP running on, 20/21, 22 or something else?

I’m not an expert so I set it up following their directions for Passive mode. It is running port 22 and externally they are able to connect and send data utilizing port 22. But it would fail until I created an FTP policy on the FW that also included the above mentioned Passive ports suggested by FZ.

Can you please share the link you are using to create this?

Can you also define fail - fail to connect, fail to transfer, how are you testing, is the person connecting also behind a firewall?

Outside to Inside FTP works fine. When a user attempts to connect to the IPSec Tunnel the error received is that it can’t find the connection. When trying to ping the public IP from outside the FW it comes back timed out. So its as if my policy is just killing the public IP, but FTP works fine.

I expect it’s your rule order, but pings not working can be a good thing from a security perspective.

I’ve tried dropping the SFTP policy below the IPSec and it did not help.