Hi, I have an FTP server configured behind an Azure Firewall. In passive mode, it is able to establish the control connection successfully but fails to establish data connection occasionally with the error "Data Peer IP [x.x.x.x] differ from control peer IP [x.x.x.x]: This should not happen, aborting the data connection.". Note that these IPs are private IPs from Private Address Space CIDR of the firewall. What configuration are required to ensure that single internal IP is used for both control and data connections? FTP server does not have a private IP and I have configured DNAT rule in firewall. For testing purpose, I only configured 5 ports in DNAT rule for passive mode.
It's not a bad option at under $300 US per month. It's a PaaS service with zonal HA and provides central management with policies. The price of any NVA would be x2 for HA and requires the overhead of OS management. Factor in licensing costs for premium NVAs and in most cases the basic firewall will be cheaper. I just wish filtering with web categories were available, that's a big limitation for enterprise customers.
@@Ciraltos Good points but we use DNS based web filtering, which unfortunately malware can bypass by making DNS queries via DoH. So, we need SSL inspection and specifically the ability to block by MIME type any DoH packets hiding in HTTPS streams.
@@Ciraltos I should also add that the Basic SKU should be bandwidth limited only, all other features should have parity with the other SKUs. In terms of feature set, the Basic SKU is simply too limited and doesn't provide good enough value
Awesome tutorial
Great Video and would do you have anything regarding adding the Azure Security hub with the Azure firewall
Thank you so much, folowed exact and it works
Thanks!
Awesome video as usual Travis!!! :)
Glad you enjoyed!
your shirt is awesome
Hi,
I have an FTP server configured behind an Azure Firewall. In passive mode, it is able to establish the control connection successfully but fails to establish data connection occasionally with the error "Data Peer IP [x.x.x.x] differ from control peer IP [x.x.x.x]: This should not happen, aborting the data connection.". Note that these IPs are private IPs from Private Address Space CIDR of the firewall. What configuration are required to ensure that single internal IP is used for both control and data connections? FTP server does not have a private IP and I have configured DNAT rule in firewall. For testing purpose, I only configured 5 ports in DNAT rule for passive mode.
Layer 3 and layer 7? What about layer 4???
Azure Firewall Basic is an overpriced offering with better third party alternatives. Why use this vs PFSense, for example?
It's not a bad option at under $300 US per month. It's a PaaS service with zonal HA and provides central management with policies. The price of any NVA would be x2 for HA and requires the overhead of OS management. Factor in licensing costs for premium NVAs and in most cases the basic firewall will be cheaper. I just wish filtering with web categories were available, that's a big limitation for enterprise customers.
@@Ciraltos Good points but we use DNS based web filtering, which unfortunately malware can bypass by making DNS queries via DoH. So, we need SSL inspection and specifically the ability to block by MIME type any DoH packets hiding in HTTPS streams.
@@Ciraltos I should also add that the Basic SKU should be bandwidth limited only, all other features should have parity with the other SKUs. In terms of feature set, the Basic SKU is simply too limited and doesn't provide good enough value