About the FTP-Proxy

FTP (File Transfer Protocol) is used to send files from one computer to a different computer over a TCP/IP network. The FTP client is usually a computer. The FTP server can be a resource that keeps files on the same network or on a different network. The FTP client can be in one of two modes for data transfer: active or passive. In active mode, the server starts a connection to the client on source port 20. In passive mode, the client uses a previously negotiated port to connect to the server. The FTP-proxy monitors and scans these FTP connections between your users and the FTP servers they connect to.

With an FTP-proxy policy, you can:

Set the maximum user name length, password length, file name length, and command line length allowed through the proxy to help protect your network from buffer overflow attacks.
Control the type of files that the FTP-proxy allows for downloads and uploads.

The TCP/UDP proxy is available for protocols on non-standard ports. When FTP uses a port other than port 20, the TCP/UDP proxy relays the traffic to the FTP-proxy. For information on the TCP/UDP proxy, see About the TCP-UDP-Proxy.

For detailed instructions on how to add the FTP-proxy to your XTM device configuration, see Add a Proxy Policy to Your Configuration.

If you must change the proxy definition, you can use the Policy Configuration page to modify the definition. This page has three tabs: Policy, Properties, and Advanced.

Action Settings

At the top of the Policy Configuration page, you can set these actions:

Application Control Action — If Application Control is enabled on your device, specify the application control action to use for this policy. For more information, see Enable Application Control in a Policy.
Proxy action — Select the proxy action to use for this policy. For information about proxy actions, see About Proxy Actions.

You can also configure Gateway AntiVirus service settings for the FTP-proxy. For more information, see Configure the Gateway AntiVirus Service.

Policy Tab

To set access rules and other options, select the Policy tab.

Connections are — Specify whether connections are Allowed, Denied, or Denied (send reset). Define who appears in the From and To lists.
For more information, see Set Access Rules for a Policy.
Use policy-based routing — For information about how to use policy-based routing in your proxy definition, see Configure Policy-Based Routing.
You can also configure static NAT or configure server load balancing.
For more information, see Configure Static NAT or Configure Server Load Balancing.

Properties Tab

On the Properties tab, you can configure these options:

To edit or add a comment to this policy configuration, type the comment in the Comment text box.
To define the logging settings for the policy, configure the settings in the Logging section. For more information, see Set Logging and Notification Preferences.
If you set the Connections are drop-down list (on the Policy tab) to Denied or Denied (send reset), you can block sites that try to use FTP.
For more information, see Block Sites Temporarily with Policy Settings.
To change the idle timeout that is set by the XTM device or authentication server, follow the instructions in Set a Custom Idle Timeout.

Advanced Tab

You can also configure these options in your proxy definition:

Set an Operating Schedule
Add a Traffic Management Action to a Policy
Set ICMP Error Handling
Apply NAT Rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or Prioritization Settings for a Policy
Set the Sticky Connection Duration for a Policy

Configure the Proxy Action

You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For more information about how to configure proxy actions, see About Proxy Actions.