Related Topics

About the FTP-Proxy

FTP (File Transfer Protocol) is used to send files from one computer to a different computer over a TCP/IP network. The FTP client is usually a computer. The FTP server can be a resource that keeps files on the same network or on a different network.

With an FTP-proxy policy, you can:

  • Set the maximum user name length, password length, file name length, and command line length allowed through the proxy to help protect your network from buffer overflow attacks.
  • Control the type of files that the FTP-proxy allows for downloads and uploads.

The TCP/UDP proxy is available for protocols on non-standard ports. When FTP uses a port other than port 20, the TCP/UDP proxy relays the traffic to the FTP-proxy. For information on the TCP/UDP proxy, see About the TCP-UDP-Proxy.

For detailed instructions on how to add the FTP-proxy to your Firebox configuration, see Add a Proxy Policy to Your Configuration.

Which Proxy Action To Use

When you configure a proxy policy, you must select a proxy action appropriate to the policy. For a proxy policy that allows connections from your internal clients to the internet, use the Client proxy action. For a proxy policy that allows connections to your internal servers from the internet, use the Server proxy action.

Predefined proxy actions with Standard appended to the proxy action name include recommended standard settings that reflect the latest Internet network traffic trends.

In Fireware v11.12 and higher, the Web Setup Wizard and WSM Quick Setup Wizard automatically adds an FTP-proxy policy that uses the Default-FTP-Client proxy action. The Default-FTP-Client proxy action is based on the FTP-Client.Standard proxy action and enables subscription services that were licensed in the feature key when the setup wizard was run. If you add a new FTP-proxy policy, the Default-FTP-Client proxy action could be a better choice than the FTP-Client.Standard proxy action. For more information about the Default-FTP-Client proxy action, see Setup Wizard Default Policies and Settings.

FTP Active and Passive Mode

The FTP client can be in one of two modes for data transfer: active or passive. In active mode, the server starts a connection to the client on source port 20. In passive mode, the client uses a previously negotiated port to connect to the server. The FTP-proxy monitors and scans these FTP connections between your users and the FTP servers they connect to.

If you host an FTP server behind your Firebox device that supports passive mode (PASV) connections, make sure that the PASV-response IP address matches the interface IP address of the server. Some FTP server configurations will respond with the external gateway IP address for the network. This is unnecessary as the FTP proxy on your Firebox translates the PASV responses to the external IP address, and adds rules for the additional data ports specified in the PASV response.

This issue also applies to inbound FTP packet filters with SNAT.

Configure the FTP-Proxy

See Also

About Proxy Policies and ALGs

Give Us Feedback     Get Support     All Product Documentation     Technical Search