The ftp ssl-policy command establishes a control connection with a remote FTPS server and displays the FTP client view.
# Establish an FTP connection on an IPv4 network.
ftp ssl-policy policy-name [ -a source-ip-address | -i interface-type interface-number ] host [ port-number ] [ public-net | vpn-instance vpn-instance-name ]
# Establish an FTP connection on an IPv6 network.
# If the FTP connection address is the IPv6 address or host name of the remote FTP server, the command format is as follows:
ftp ssl-policy policy-name ipv6 host [ port-number ]
# If the FTP connection address is the IPv6 link-local address generated automatically by the interface of the remote IPv6 FTP server, the command format is as follows:
ftp ssl-policy policy-name ipv6 ipv6-linklocal-address -oi interface-type interface-number [ port-number ]
| Parameter | Description | Value |
|---|---|---|
ssl-policy policy-name |
Specifies the name of an SSL policy. An FTP server has been configured with an SSL policy to provide SSL-based FTP services. You can use an FTP client to log in to a device enabled with the FTPS server function to securely operate files transmitted between the client and server. |
The value is a string of 1 to 23 case-insensitive characters, spaces not supported. |
-a source-ip-address |
Specifies the IPv4 address of the FTP client. The specified IP address must have been configured on the device. The IP address configured for a loopback interface is advised to be configured as the source IP address of an FTP connection. |
- |
-i interface-type interface-number |
Specifies the interface type and number of the source interface on the FTP client for an FTP connection. The IP address of this interface serves as the source address of messages to be sent. If the source interface is not configured with an IP address, the FTP connection cannot be established. Configuring a loopback interface as the source interface is recommended. |
- |
host |
Specifies the IP address or IPv4 host name of the FTP server. |
The IPv4 host name is a string of 1 to 20 case-insensitive characters, spaces not supported. |
port-number |
Specifies the listening port number of the FTP server. By default, the listening port number of the FTP server is 21. Users can directly log in to a device functioning as an FTP server by using the default listening port number. Attackers may access the default listening port, consuming bandwidth, affecting performance of the server, and causing authorized users unable to access the server. After that, attackers are deprived of information about the newly configured listening port number, and the HTTPS server is therefore well protected. |
The value is an integer ranging from 1 to 65535. The default value 21 is the standard listening port number of an FTP server. |
public-net |
Establishes an FTP connection on the public network. |
- |
vpn-instance vpn-instance-name |
Specifies the name of a VPN instance on the FTP server. The FTP client will log in to the FTP server in the specified VPN instance. |
The value must be the name of an existing VPN instance. |
ipv6-linklocal-address |
Specifies the IPv6 link-local address generated automatically by the interface of the remote IPv6 FTP server. |
- |
-oi |
Indicates the outbound interface of the IPv6 link-local address. |
- |
interface-type interface-number |
Specifies the outbound interface type and number of the IPv6 link-local address. |
- |
Usage Scenario
If an FTP client needs to access an FTP server, the client and server must establish a connection in advance. The ftp ssl-policy command can be used to establish the connection.
Prerequisites
The client and server must be routable.
On the FTP server:
On the FTP client:
Configuration Impact
After logging in to the FTP server from the FTP client, you can remotely manage files on the FTP server.
On an IPv4 network, the parameter -a or -i can be configured instead of an ACL rule or a security policy to simplify the configuration. The source address to be specified in an ACL rule can be specified as the source address in this command to filter out incoming messages, improving device security.
Follow-up Procedure
If the number of logged-in FTP users reaches the upper limit, subsequent authorized users cannot log in to the FTP server. To ensure that subsequent authorized users can log in to the FTP server, disconnect the FTP connection if the FTP function is no longer used. Run the following commands in the FTP client view as required:
On an IPv4 network, the priority of the source address specified in the ftp ssl-policy command is higher than the priority of the source address specified in the ftp client-source command. If a source address is specified using the ftp client-source command, and then another source address is specified using the ftp ssl-policy command, the client and server of the current connection use the source address specified in the ftp ssl-policy command to communicate.
The source address specified using the ftp client-source command takes effect on all FTP connections; the source address specified using the ftp ssl-policy command takes effect only on the current FTP connection.
# Establish a connection with the remote FTPS server at 10.1.1.2.
<sysname> ftp ssl-policy ftp_server 10.1.1.2 Trying 10.1.1.2 ... Press CTRL+K to abort Connected to 10.1.1.2. 220 FTP service ready. 234 AUTH command successfully, Security mechanism accepted. 200 PBSZ is ok. 200 Data channel security level is changed to private. User(10.1.1.2:(none)):huawei 331 Password required for huawei. Enter password: 230 User logged in. [ftp]