Skip to content

Commit 784906d

Browse files
vhornevhorne
committed
add passive ft limitations
1 parent d6be5ec commit 784906d

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

articles/firewall/overview.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ ms.service: firewall
66
services: firewall
77
ms.topic: overview
88
ms.custom: mvc
9-
ms.date: 04/03/2020
9+
ms.date: 04/07/2020
1010
ms.author: victorh
1111
Customer intent: As an administrator, I want to evaluate Azure Firewall so I can determine if I want to use it.
1212
---
@@ -115,6 +115,7 @@ Network filtering rules for non-TCP/UDP protocols (for example ICMP) don't work
115115
|Active FTP isn't supported|Active FTP is disabled on Azure Firewall to protect against FTP bounce attacks using the FTP PORT command.|You can use Passive FTP instead. You must still explicitly open TCP ports 20 and 21 on the firewall.
116116
|SNAT port utilization metric shows 0%|The Azure Firewall SNAT port utilization metric may show 0% usage even when SNAT ports are used. In this case, using the metric as part of the firewall health metric provides an incorrect result.|This issue has been fixed and rollout to production is targeted for May 2020. In some cases, firewall redeployment resolves the issue, but it's not consistent. As an intermediate workaround, only use the firewall health state to look for *status=degraded*, not for *status=unhealthy*. Port exhaustion will show as *degraded*. *Not healthy* is reserved for future use when the are more metrics to impact the firewall health.
117117
|DNAT is not supported with Forced Tunneling enabled|Firewalls deployed with Forced Tunneling enabled can't support inbound access from the Internet because of asymmetric routing.|This is by design because of asymmetric routing. The return path for inbound connections goes via the on-premises firewall, which hasn't seen the connection established.
118+
|Outbound Passive FTP doesn't work for Firewalls with multiple public IP addresses.|Passive FTP establishes different connections for control and data channels. When a Firewall with multiple public IP addresses sends data outbound, it randomly selects one of its public IP address for the source IP address. FTP fails when data and control channels use different source IP addresses.|An explicit SNAT configuration is planned. In the meantime, consider using a single IP address in this situation.|
118119

119120
## Next steps
120121

0 commit comments

Comments
 (0)