Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Disable FTP on WLC

  • 1.  Disable FTP on WLC

    Posted May 07, 2019 05:59 PM

    I understand that FTP is used to push images from the WLC to the AP. However our WLCs keep coming up on security audits for FTP being open. I can't keep explaining this to the security team every time they do an audit.

     

    So my question is, how can I disable this port in Aruba OS 8 (8.3.0.5 to be exact)? I have a few WLCs on 6.5 and I just selected 'Disable FTP server' under Config>Advanced Service>Stateful Firewall>Global Setting and when doing a scan I see FTP is closed.

     

    I tried doing the same on OS 8, but doing a scan I still see FTP open. Any suggestions?



  • 2.  RE: Disable FTP on WLC

    Posted May 07, 2019 06:04 PM

    Under Services> Firewall:

    Screenshot 2019-05-07 at 17.02.43.png

     

    EDIT:  Did you type "show firewall | include FTP" on the individual MD to see if it is indeed disabled?



  • 3.  RE: Disable FTP on WLC

    Posted May 07, 2019 06:06 PM

    I checked this option (services>firewall>disable ftp) on my 8.3.0.5 WLCs and running a scan still shows FTP is open.

     

    EDIT: I just ran the show command on the CLI and it doesn't look like it's actually enabled. 



  • 4.  RE: Disable FTP on WLC

    Posted May 07, 2019 06:21 PM

    type "show netstat | include :21" on the MD and see if the port is still open.



  • 5.  RE: Disable FTP on WLC

    Posted May 07, 2019 06:24 PM

    This is the output when running the command:

     

    (WLC) [MDC] *#show netstat | include :21

    tcp LISTEN 0 32 :::21 :::* users:(("vsftpd",pid=4516,fd=3))

     

    Port is in listen mode still.



  • 6.  RE: Disable FTP on WLC

    Posted May 07, 2019 07:17 PM

    If you have an MM, was it disabled on the MM or at the node level? If at the node level did you disable globally or at the device level?

     

    I just tested on my lab and when disabled at the node, but the top level and on a device, it removed the service. If you just disable on the MM, it won't disable it on the MCs

     



  • 7.  RE: Disable FTP on WLC

    Posted May 07, 2019 07:22 PM

    I do have an MM. I tried to disable on the MM (since the MMs show up with FTP open) and it didn't work. I also tried to disable at the top level of my MDs which isn't working. Are you saying I should disable at the node level?



  • 8.  RE: Disable FTP on WLC

    Posted May 07, 2019 08:26 PM

    Yes.  Try that.



  • 9.  RE: Disable FTP on WLC

    Posted May 08, 2019 11:34 AM

    I disabeled at the higher levels and enabled at the node level and still the same thing. I'll give TAC a call.



  • 10.  RE: Disable FTP on WLC

    Posted May 07, 2019 07:17 PM

    It's odd that when I do 'show firewall', under the action column for 'Disable FTP server' it says NO. All other actions are Enabled or Disabled.