12.5  FTP Policy

To define rules for access to FTP servers go to Configuration → Content Filtering → FTP Rules.

FTP Rules

Figure 12.13. FTP Rules


Rules in this section are tested from the top of the list downwards (you can order the list entries using the arrow buttons at the right side of the dialog window). Testing is stopped when the first convenient rule is met. If the query does not match any rule, access to the FTP server is implicitly allowed.

Note:

  1. The default WinRoute configuration includes a set of predefined rules for FTP traffic. These rules are disabled by default. These rules are available to the WinRoute administrators.

  2. A rule which blocks completion of interrupted download processes (so called resume function executed by the REST FTP command). This function is essential for proper functionality of the antivirus control: for reliable scanning, entire files must be scanned.

    If undesirable, this rule can be disabled. This is not recommended as it might jeopardize scanning reliability. However, there is a more secure way to limit this behavior: create a rule which will allow unlimited connections to a particular FTP server. The rule will take effect only if it is placed before the Resume rule.

    For details on antivirus scan of FTP protocol, refer to chapter 13.3  HTTP and FTP scanning.

FTP Rules Definition

To create a new rule, select a rule after which the new rule will be added, and click Add. You can later use the arrow buttons to reorder the rule list.

Checking the box next to the rule can be used to disable the rule. Rules can be disabled temporarily so that it is not necessary to remove rules and create identical ones later.

Note: FTP traffic which does not match any FTP rule is allowed (any traffic permitted by default). To allow accessing only a specific group of FTP servers and block access to other web pages, a rule denying access to all FTP servers must be placed at the end of the rule list.

FTP rule dialog:

FTP Rule — basic parameters

Figure 12.14. FTP Rule — basic parameters


Open the General tab to set general rules and actions to be taken.

Description

Description of the rule (information for the administrator).

If user accessing the FTP server is

Select which users this rule will be applied on:

  • any user — the rule will be applied on all users (regardless whether authenticated on the firewall or not).

  • any user authenticated on the firewall — applied on all authenticated users.

  • selected user(s) — applied on selected users or/and user groups.

    Click on the Set button to select users or groups (hold the Ctrl and the Shift keys to select more that one user /group at once).

Note: Rules designed for selected users (or all authenticated users) are irrelevant unless combined with a rule that denies access of non-authenticated users.

And the FTP server is

Specify FTP servers on which this rule will be applied:

  • any server —any FTP server

  • server — IP address of DNS name of a particular FTP server.

    If an FTP server is defined through a DNS name, WinRoute will automatically perform IP address resolution from DNS. The IP address will be resolved immediately when settings are confirmed by the OK button (for all rules where the FTP server was defined by a DNS name).

    Warning

    Rules are disabled unless a corresponding IP address is found!

  • IP address from group — selection of IP addresses of FTP servers that will be either denied or allowed.

    Click on the Edit button to edit IP groups (for details see chapter 14.1  IP Address Groups).

Action

Select an action that will be taken when requirements for users and the FTP server are met:

  • AllowWinRoute allows connection to selected FTP servers under conditions set in the Advanced tab— see below).

  • DenyWinRoute will block certain FTP commands or FTP connections (according to the settings within the Advanced tab).

Check the Log option to log all FTP connections meeting this rule in the Filter log (see chapter 22.9  Filter Log).

Go to the Advanced tab to define other conditions that must be met for the rule to be applied and to set advanced options for FTP communication.

FTP Rule — advanced settings

Figure 12.15. FTP Rule — advanced settings


Valid at time interval

Selection of the time interval during which the rule will be valid (apart from this interval the rule will be ignored). Use the Edit button to edit time intervals (for details see chapter 14.2  Time Intervals).

Valid for IP address group

Selection of IP address group on which the rule will be applied. Client (source) addresses are considered. Use the Any option to make the rule independent of clients.

Click on the Edit button to edit IP groups (for details see chapter 14.1  IP Address Groups).

Content

Advanced options for FTP traffic content.

Use the Type option to set a filtering method:

  • Download, Upload, Download / Upload — transport of files in one or both directions.

    If any of these options is chosen, you can specify names of files on which the rule will be applied using the File name entry. Wildcard matching can be used to specify a file name (i.e. *.exe for executables).

  • FTP command — selection of commands for the FTP server on which the rule will be applied

  • Any — denies all traffic (any connection or command use)

Scan content for viruses according to scanning rules

Use this option to enable/disable scanning for viruses for FTP traffic which meet this rule.

This option is available only for allowing rules — it is meaningless to apply antivirus check to denied traffic.