Wireless Access

Reply
Occasional Contributor II

Disable FTP on WLC

I understand that FTP is used to push images from the WLC to the AP. However our WLCs keep coming up on security audits for FTP being open. I can't keep explaining this to the security team every time they do an audit.

 

So my question is, how can I disable this port in Aruba OS 8 (8.3.0.5 to be exact)? I have a few WLCs on 6.5 and I just selected 'Disable FTP server' under Config>Advanced Service>Stateful Firewall>Global Setting and when doing a scan I see FTP is closed.

 

I tried doing the same on OS 8, but doing a scan I still see FTP open. Any suggestions?

Guru Elite

Re: Disable FTP on WLC

Under Services> Firewall:

Screenshot 2019-05-07 at 17.02.43.png

 

EDIT:  Did you type "show firewall | include FTP" on the individual MD to see if it is indeed disabled?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Disable FTP on WLC

I checked this option (services>firewall>disable ftp) on my 8.3.0.5 WLCs and running a scan still shows FTP is open.

 

EDIT: I just ran the show command on the CLI and it doesn't look like it's actually enabled. 

Guru Elite

Re: Disable FTP on WLC

type "show netstat | include :21" on the MD and see if the port is still open.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Highlighted
Occasional Contributor II

Re: Disable FTP on WLC

This is the output when running the command:

 

(WLC) [MDC] *#show netstat | include :21

tcp LISTEN 0 32 :::21 :::* users:(("vsftpd",pid=4516,fd=3))

 

Port is in listen mode still.

Occasional Contributor II

Re: Disable FTP on WLC

It's odd that when I do 'show firewall', under the action column for 'Disable FTP server' it says NO. All other actions are Enabled or Disabled.

Re: Disable FTP on WLC

If you have an MM, was it disabled on the MM or at the node level? If at the node level did you disable globally or at the device level?

 

I just tested on my lab and when disabled at the node, but the top level and on a device, it removed the service. If you just disable on the MM, it won't disable it on the MCs

 


Jerrod Howard
Distinguished Technologist, TME
Occasional Contributor II

Re: Disable FTP on WLC

I do have an MM. I tried to disable on the MM (since the MMs show up with FTP open) and it didn't work. I also tried to disable at the top level of my MDs which isn't working. Are you saying I should disable at the node level?

Guru Elite

Re: Disable FTP on WLC

Yes.  Try that.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Disable FTP on WLC

I disabeled at the higher levels and enabled at the node level and still the same thing. I'll give TAC a call.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: