About the FTP-Proxy

FTP (File Transfer Protocol) is used to send files from one computer to a different computer over a TCP/IP network. The FTP client is usually a computer. The FTP server can be a resource that keeps files on the same network or on a different network.

With an FTP-proxy policy, you can:

  • Set the maximum user name length, password length, file name length, and command line length allowed through the proxy to help protect your network from buffer overflow attacks.
  • Control the type of files that the FTP-proxy allows for downloads and uploads.

The FTP-proxy does not support FTP over SSL, TLS, or SFTP connections.

The TCP/UDP proxy is available for protocols on non-standard ports. When FTP uses a port other than port 20, the TCP/UDP proxy relays the traffic to the FTP-proxy. For information on the TCP/UDP proxy, go to About the TCP-UDP-Proxy.

For detailed instructions on how to add the FTP-proxy to your Firebox configuration, go to Add a Proxy Policy to Your Configuration.

Which Proxy Action To Use

When you configure a proxy policy, you must select a proxy action appropriate to the policy. For a proxy policy that allows connections from your internal clients to the internet, use the Client proxy action. For a proxy policy that allows connections to your internal servers from the internet, use the Server proxy action.

Predefined proxy actions with Standard appended to the proxy action name include recommended standard settings that reflect the latest Internet network traffic trends.

In Fireware v11.12 and higher, the Web Setup Wizard and WSM Quick Setup Wizard automatically adds an FTP-proxy policy that uses the Default-FTP-Client proxy action. The Default-FTP-Client proxy action is based on the FTP-Client.Standard proxy action and enables subscription services that were licensed in the feature key when the setup wizard was run. If you add a new FTP-proxy policy, the Default-FTP-Client proxy action could be a better choice than the FTP-Client.Standard proxy action. For more information about the Default-FTP-Client proxy action, go to Setup Wizard Default Policies and Settings.

FTP Active and Passive Mode

The FTP client can be in one of two modes for data transfer: active or passive. In active mode, the server starts a connection to the client on source port 20. In passive mode, the client uses a previously negotiated port to connect to the server. The FTP-proxy monitors and scans these FTP connections between your users and the FTP servers they connect to.

If you host an FTP server behind your Firebox device that supports passive mode (PASV) connections, make sure that the PASV-response IP address matches the interface IP address of the server. Some FTP server configurations will respond with the external gateway IP address for the network. This is unnecessary as the FTP proxy on your Firebox translates the PASV responses to the external IP address, and adds rules for the additional data ports specified in the PASV response.

This issue also applies to inbound FTP packet filters with SNAT.

Configure the FTP-Proxy

Settings Tab

On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or denies traffic, create access rules for a policy, or configure bandwidth and time quotas, static NAT, or server load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional description of the policy. You can use the settings on this tab to set logging, notification, automatic blocking, and timeout preferences.

SD-WAN Tab

On the SD-WAN tab, you can select to apply an SD-WAN action to the policy. You can also add a new SD-WAN action. For more information about SD-WAN routing, go to About SD-WAN.

SD-WAN replaces policy-based routing in Fireware v12.3 or higher.

Application Control Tab

If Application Control is enabled on your Firebox, you can set the action this proxy uses for Application Control.

  1. Select the Application Control tab.
  2. From the Application Control Action drop-down list, select an application control action to use for this policy, or create a new action.
  3. (Optional) Edit the Application Control settings for the selected action.
  4. Click Save.

For more information, go to Enable Application Control in a Policy.

Geolocation Tab

If Geolocation is enabled on your Firebox, on the Geolocation tab, you can select the Geolocation action for this proxy. You can also add a new Geolocation action. For more information about Geolocation, go to Configure Geolocation.

To apply a Geolocation action in a policy:

  1. Select the Geolocation tab.
  2. From the Geolocation Control Action drop-down list, select a Geolocation action.
    Or, to create a new Geolocation action, click Add.
  3. Click Save.

The Geolocation tab is available in Fireware 12.3 or higher.

Traffic Management Tab

On the Traffic Management tab, you can select the Traffic Management action for the policy. You can also create a new Traffic Management action. For more information about Traffic Management actions, go to Define a Traffic Management Action and Add Traffic Management Actions to a Policy.

To apply a Traffic Management action in a policy:

  1. Select the Traffic Management tab.
  2. From the Traffic Management Action drop-down list, select a Traffic Management action.
    Or, to create a new Traffic Management action, select Create new and configure the settings as described in the topic Define a Traffic Management Action.
  3. Click Save.

Proxy Action Tab

You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For more information about how to configure proxy actions, go to About Proxy Actions.

To configure the proxy action:

  1. Select the Proxy Action tab.
  2. From the Proxy Action drop-down list, select the proxy action to use for this policy.
    For information about proxy actions, go to About Proxy Actions.
  3. Click Save.

For the FTP-proxy, you can configure these categories of settings for a proxy action:

Scheduling Tab

On the Scheduling tab, you can specify an operating schedule for the policy. You can select an existing schedule or create a new schedule.

  1. Select the Scheduling tab.
  2. From the Schedule Action drop-down list, select a schedule.
    Or, to create a new schedule, select Create New and configure the settings as described in the topics Create Schedules for Firebox Actions and Set an Operating Schedule.
  3. Click Save.

Advanced Tab

The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.

To edit or add a comment to this proxy policy configuration, type the comment in the Comment text box.

For more information on the options for this tab, go to:

Policy Tab

To set access rules and other options, select the Policy tab.

Properties Tab

On the Properties tab, you can configure these options:

  • To edit or add a comment to this policy configuration, type the comment in the Comment text box.
  • To define the logging settings for the policy, click Logging.
    For more information, go toSet Logging and Notification Preferences.
  • If you set the FTP-proxy connections are drop-down list (on the Policy tab) to Denied or Denied (send reset), you can block sites that try to use FTP.
    For more information, go to Block Sites Temporarily with Policy Settings.
  • To change the idle timeout that is set by the Firebox or authentication server, go to Set a Custom Idle Timeout.

Advanced Tab

 You can also configure these options in your proxy definition:

Configure the Proxy Action

You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For more information about how to configure proxy actions, go to About Proxy Actions.

For the FTP-proxy, you can configure these categories of settings for a proxy action:

Related Topics

About Proxy Policies and ALGs