2.11  FTP Policy Configuration

Requirements

FTP usage will be limited by the following restrictions:

  • transmission of music files in the MP3 format will be denied

  • transmission of video files (*.avi) will be denied within working hours

  • uploads (storing files at FTP servers) will be denied — protection of important company information

Predefined FTP Rules

Go to Configuration → Content Filtering → FTP Policy to set FTP limitations. The following rules are predefined rules and can be used for all intended restrictions:

Predefined FTP Rules

Figure 2.32. Predefined FTP Rules


  • Rules Forbid *.mpg, *.mp3 and *.mpeg files and Forbid upload are ready to use.

  • To use the Forbid *.avi files rule, go to the Advanced tab and set the time interval the rule will apply to.

    The Forbid *.avi files rule — setting time interval when the rule will be applied

    Figure 2.33. The Forbid *.avi files rule — setting time interval when the rule will be applied


  • It is also recommended to enable rule Forbid resume due to antivirus scanning . This makes all files transferred via FTP thoroughly scanned by an antivirus program.

Warning

The FTP policy refers to all FTP traffic that is processed by the FTP protocol inspector.

?In the following example, we intend to enable the local FTP server from the Internet. The Forbid upload rule denies even upload to this server which is not always desirable. For this reason we must add a rule that would enable upload to this server before the Forbid upload rule.

FTP rule — allowing uploads to the corporate FTP server

Figure 2.34. FTP rule — allowing uploads to the corporate FTP server


FTP rule — allowing upload of any file

Figure 2.35. FTP rule — allowing upload of any file


Notes:

  1. The IP address of the host where the appropriate FTP service is running must be used to define the FTP server's IP address. It is not possible to use an outbound IP address of the firewall that the FTP server is mapped from (unless the FTP server runs on the firewall)! IP addresses are translated before the content filtering rules are applied.

  2. The same method can be applied to enable upload to a particular FTP server in the Internet whereas upload to other FTP servers will be forbidden.