To define rules for access to FTP servers go to Configuration → Content Filtering → FTP Rules.
Rules in this section are tested from the top of the list downwards (you can order the list entries using the arrow buttons at the right side of the dialog window). Testing is stopped when the first convenient rule is met. If the query does not match any rule, access to the FTP server is implicitly allowed.
Note:
The default WinRoute configuration includes a set of predefined rules for FTP traffic. These rules are disabled by default. These rules are available to the WinRoute administrators.
A rule which blocks completion of interrupted download processes (so called resume function executed by the REST
FTP command). This function is essential for proper functionality of the antivirus control: for reliable scanning, entire files must be scanned.
If undesirable, this rule can be disabled. This is not recommended as it might jeopardize scanning reliability. However, there is a more secure way to limit this behavior: create a rule which will allow unlimited connections to a particular FTP server. The rule will take effect only if it is placed before the Resume rule.
For details on antivirus scan of FTP protocol, refer to chapter 13.3 HTTP and FTP scanning.
To create a new rule, select a rule after which the new rule will be added, and click
. You can later use the arrow buttons to reorder the rule list.Checking the box next to the rule can be used to disable the rule. Rules can be disabled temporarily so that it is not necessary to remove rules and create identical ones later.
Note: FTP traffic which does not match any FTP rule is allowed (any traffic permitted by default). To allow accessing only a specific group of FTP servers and block access to other web pages, a rule denying access to all FTP servers must be placed at the end of the rule list.
FTP rule dialog:
Open the General tab to set general rules and actions to be taken.
Description of the rule (information for the administrator).
Select which users this rule will be applied on:
any user — the rule will be applied on all users (regardless whether authenticated on the firewall or not).
any user authenticated on the firewall — applied on all authenticated users.
selected user(s) — applied on selected users or/and user groups.
Click on the Ctrl and the Shift keys to select more that one user /group at once).
button to select users or groups (hold theNote: Rules designed for selected users (or all authenticated users) are irrelevant unless combined with a rule that denies access of non-authenticated users.
Specify FTP servers on which this rule will be applied:
any server —any FTP server
server — IP address of DNS name of a particular FTP server.
If an FTP server is defined through a DNS name, WinRoute will automatically perform IP address resolution from DNS. The IP address will be resolved immediately when settings are confirmed by the button (for all rules where the FTP server was defined by a DNS name).
Rules are disabled unless a corresponding IP address is found!
IP address from group — selection of IP addresses of FTP servers that will be either denied or allowed.
Click on the 14.1 IP Address Groups).
button to edit IP groups (for details see chapterSelect an action that will be taken when requirements for users and the FTP server are met:
Allow — WinRoute allows connection to selected FTP servers under conditions set in the Advanced tab— see below).
Deny — WinRoute will block certain FTP commands or FTP connections (according to the settings within the Advanced tab).
Check the Log option to log all FTP connections meeting this rule in the Filter log (see chapter 22.9 Filter Log).
Go to the Advanced tab to define other conditions that must be met for the rule to be applied and to set advanced options for FTP communication.
Selection of the time interval during which the rule will be valid (apart from this interval the rule will be ignored). Use the 14.2 Time Intervals).
button to edit time intervals (for details see chapterSelection of IP address group on which the rule will be applied. Client (source) addresses are considered. Use the Any option to make the rule independent of clients.
Click on the 14.1 IP Address Groups).
button to edit IP groups (for details see chapterAdvanced options for FTP traffic content.
Use the Type option to set a filtering method:
Download, Upload, Download / Upload — transport of files in one or both directions.
If any of these options is chosen, you can specify names of files on which the rule will be applied using the File name entry. Wildcard matching can be used to specify a file name (i.e. *.exe
for executables).
FTP command — selection of commands for the FTP server on which the rule will be applied
Any — denies all traffic (any connection or command use)
Use this option to enable/disable scanning for viruses for FTP traffic which meet this rule.
This option is available only for allowing rules — it is meaningless to apply antivirus check to denied traffic.