FTP-Proxy Best Practices

WatchGuard recommends you use FTP-Proxy policies for any FTP traffic between your network and external hosts, or from external users to an FTP server on your network.

When you configure the FTP Proxy, make sure to choose the correct Proxy Action for the policy. For a policy that handles traffic from your network to external hosts, use the FTP-Client action. For a policy that handles traffic to servers on your network from external users, use the FTP-Server action.

The TCP/UDP proxy is available for protocols on non-standard ports. When FTP uses a port other than port 20, the TCP/UDP proxy relays the traffic to the FTP-proxy. For information on the TCP/UDP proxy, go to About the TCP-UDP-Proxy.

For detailed instructions on how to add the FTP-proxy to your Firebox configuration, go to Add a Proxy Policy to Your Configuration.

FTP Server Configuration and PASV Mode

Some FTP server configurations will respond with the external gateway IP address for the network.

This is unnecessary as the FTP proxy on your Firebox translates the PASV responses to the external IP address, and adds rules for the additional data ports specified in the PASV response. This issue also applies to inbound FTP packet filters with SNAT.

If you host an FTP server behind your Firebox device that supports passive mode (PASV) connections, make sure that the PASV-response IP address matches the interface IP address of the server.

Related Topics

About Proxy Policies and ALGs