AskF5 Knowledge Base

Applies To:

Show Versions Show Versions
sol8021: Configuring the BIG-IP LTM system to allow outbound FTP sessions
How-ToHow-To

Original Publication Date: 10/17/2007
Updated Date: 05/06/2013

You can configure the BIG-IP LTM system to allow internal nodes to make outbound FTP connections. Due to the nature of the FTP protocol, it is necessary to perform certain configuration requirements on the BIG-IP system to accomplish this. For example, the FTP profile must be associated with the virtual server. The FTP profile allows the BIG-IP LTM system to alter the FTP control data so that address translation works correctly. In addition, since it is common for nodes behind the BIG-IP system to have non-routable IP addresses, the BIG-IP LTM system may need to be configured to perform source address translation both in the IP header and in the FTP control channel payload.

The following configuration is designed so that when a node opens a new FTP control connection to an FTP server, the connection is processed by the virtual server and passed to the pool members which are the devices directly upstream from the BIG-IP LTM. Since address translation is disabled for the virtual server, the destination address remains that of the FTP server and the upstream device forwards the packets.

If a SNAT object is configured, the source address will be replaced with that of the SNAT address and the FTP control data will be modified as necessary to use the correct new IP address and to detect the FTP mode (passive or active) that is in use, and handle any necessary FTP data connections correctly.

Note: For FTPS load balancing, refer to SOL9347: Configuring passthrough FTPS load balancing.

To configure the BIG-IP LTM to allow outbound FTP sessions, you must perform the following procedures:

Configuring the FTP pool

The pool member IP address is the IP address of the routers directly upstream from the BIG-IP LTM system.

To configure the FTP pool, perform the following procedure:

  1. Log in to the Configuration utility.
  2. Click Local Traffic.
  3. Click Pools.
  4. Click Create.
  5. Type a name for the FTP pool.
  6. In the Health Monitor section, choose the gateway_icmp monitor from the Available window.
  7. Move the gateway_icmp monitor to the Active window.
  8. In the Address field enter the IP address of the routers directly upstream from the BIG-IP LTM system.

    Note: This is typically the same IP address that is specified for the gateway address. It can also be separate from the gateway address, or you may define multiple router IP addresses.

  9. Select * All Services from the Service Port menu.
  10. Click Add.

Configuring the FTP virtual server

To configure the FTP virtual server, perform the following procedure:

  1. Click Local Traffic.
  2. Click Virtual Servers.
  3. Click Create.
  4. Type a name for the FTP virtual server.
  5. In the Destination section, click Network.
  6. Enter 0.0.0.0 for both the Address and Mask.

    Note: You can use a specific IP address and netmask.

  7. Select FTP from the Service Port menu.
  8. Select Advanced from the Configuration menu.
  9. Select Standard from the Type menu.
  10. Select ftp from the FTP Profile menu.

    Note: F5 recommends that you use the default FTP profile.

  11. Select Enabled on from the VLAN Traffic menu.
  12. Select the VLANs from which nodes will initiate FTP sessions.
  13. Clear the Address Translation and Port Translation check boxes.
  14. If the source IP address must be changed due to the use of non-routable IP addresses, choose a SNAT pool or Auto Map from the SNAT Pool menu.
  15. Select the FTP pool that you created from the Default Pool menu.
  16. Click Finished.

Configuring the FTP iRule (Optional)

You can optionally configure the FTP iRule if the node IP addresses must be translated to a specific address by the BIG-IP system.

For example, if you want the BIG-IP LTM system to translate the client IP address of 10.1.1.100 to 100.100.100.100 before sending the request to the ftp_gateway_pool pool member, or translate the client IP address of 10.1.1.101 to 100.100.100.111 before sending the request to the ftp_gateway_pool pool member, you could use the following iRule:

when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals 10.1.1.100]  } {
    snat 100.100.100.100
    pool ftp_gateway_pool
  }
  elseif { [IP::addr [IP::client_addr] equals 10.1.1.101] } {
    snat 100.100.100.111
    pool ftp_gateway_pool
  }
  else {
    discard
  }
}

To configure the FTP iRule, perform the following procedure:

  1. Click Local Traffic.
  2. Click iRules.
  3. Click Create.
  4. Type a name for the iRule.
  5. Enter the iRule code in the Definition field.
  6. Click Finished.
  7. Associate the iRule with the FTP virtual server.

Configuring the Source Address Affinity persistence profile (Optional)

You can optionally configure the Source Address Affinity persistence profile if the BIG-IP system sends connections to multiple upstream routers or firewalls, and if the FTP control and data channels need to take the same path.

For example, if the upstream devices are firewalls performing FTP connection tracking, you should configure the persistence profile and associate it with the virtual server. In this case, a source address persistence profile ensures that the BIG-IP LTM system sends multiple outgoing connections through the same gateway.

Note: If the BIG-IP system sends connections to one upstream router or firewall, this step is not necessary.

To configure the Source Address Affinity persistence profile, perform the following procedure:

  1. Click Local Traffic.
  2. Click Profiles.
  3. Select the Persistence menu.
  4. Click Create.
  5. Type a name for the persistence profile.
  6. Select Source Address Affinity from the Persistence Type menu.
  7. Click Finished.
  8. Associate the persistence profile with the FTP virtual server.

Best Practices

When implementing a BIG-IP Link Controller, F5 recommends that you use the configuration defined in this article. The BIG-IP Link Controller configuration usually contains an any:any virtual server configuration with an associated SNAT object. The any:21 virtual server with FTP profile noted in this article ensures that the BIG-IP Link Controller properly translates the FTP control protocol.

When applying SNATs and a forwarding virtual that forwards general purpose traffic, F5 recommends that you create a unique any:21 forwarding virtual server that is associated with an FTP profile. The any:any forwarding virtual configured with SNATs does not properly translate the FTP control protocol.

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)