Wireless Access

I understand that FTP is used to push images from the WLC to the AP. However our WLCs keep coming up on security audits for FTP being open. I can't keep explaining this to the security team every time they do an audit.

So my question is, how can I disable this port in Aruba OS 8 (8.3.0.5 to be exact)? I have a few WLCs on 6.5 and I just selected 'Disable FTP server' under Config>Advanced Service>Stateful Firewall>Global Setting and when doing a scan I see FTP is closed.

I tried doing the same on OS 8, but doing a scan I still see FTP open. Any suggestions?

Under Services> Firewall:

EDIT:  Did you type "show firewall | include FTP" on the individual MD to see if it is indeed disabled?

I checked this option (services>firewall>disable ftp) on my 8.3.0.5 WLCs and running a scan still shows FTP is open.

EDIT: I just ran the show command on the CLI and it doesn't look like it's actually enabled. 

type "show netstat | include :21" on the MD and see if the port is still open.

This is the output when running the command:

(WLC) [MDC] *#show netstat | include :21

tcp LISTEN 0 32 :::21 :::* users:(("vsftpd",pid=4516,fd=3))

Port is in listen mode still.

If you have an MM, was it disabled on the MM or at the node level? If at the node level did you disable globally or at the device level?

I just tested on my lab and when disabled at the node, but the top level and on a device, it removed the service. If you just disable on the MM, it won't disable it on the MCs

I do have an MM. I tried to disable on the MM (since the MMs show up with FTP open) and it didn't work. I also tried to disable at the top level of my MDs which isn't working. Are you saying I should disable at the node level?

Yes.  Try that.

I disabeled at the higher levels and enabled at the node level and still the same thing. I'll give TAC a call.

It's odd that when I do 'show firewall', under the action column for 'Disable FTP server' it says NO. All other actions are Enabled or Disabled.