User guide

ManualsBrandsWatchguard ManualsComputer equipmentFirebox X4500

141

142

143

144

145

146

147

148

149

150

User Guide 133

Proxy Settings

About the FTP proxy

FTP (File Transfer Protocol) is used to send files from one computer to a different computer over a TCP/IP

network. The FTP client is usually a computer. The FTP server can be a resource that keeps files on the same

network or on a different network. The FTP client can be in one of two modes for data transfer: active or

passive. In active mode, the server starts a connection to the client on source port 20. In passive mode, the

client uses a previously negotiated port to connect to the server. The FTP proxy monitors and scans these FTP

connections between your users and FTP servers they connect to.

With an FTP proxy filter, you can:

 Set the maximum user name length, password length, file name length, and command line length

allowed through the proxy to help protect your network from buffer overflow attacks.

 Control the type of files that the FTP proxy allows for downloads and uploads.

The FTP proxy only applies to outgoing traffic. It does not apply to an FTP session initiated from the external

network. We recommend that you deny all incoming traffic.

To enable the FTP proxy, see Enable a proxy

. Then, if you choose, edit the proxy definition as described in Add

or edit a proxy policy.

Edit the FTP proxy

To change the default settings of the FTP proxy, select Firewall > Outgoing from the navigation menu. Find

the FTP proxy and click Edit. Make sure you look at all tabs of the FTP proxy configuration. The Properties tab

shows you what port and protocol the proxy uses. You cannot make changes on this tab.

Set access control options

On the Outgoing or Incoming tab, you can set rules that filter IP addresses, network addresses, or host ranges.

This is the same functionality you have in packet filter policies.

1. Select the Outgoing tab.

2. From the Outgoing Filter drop-down list, select Deny, Allow, or No Rule.

3. Use the From drop-down list to add the IP address, network address, range of IP addresses of

computers on the trusted or optional network, or an alias for which this policy applies.

Network IP addresses must be entered in slash notation (also known as Classless Inter Domain Routing or CIDR

notation). For more information, see

About Slash Notation.

4. Click Add. The From text box shows the IP addresses you added. The From text box can have more

than one entry.

5. Use the To drop-down list to add the IP address, network address, range of IP addresses of computers

on the external network, or alias for which this policy applies.

Network IP addresses must be entered in slash notation.

6. Click Add.

To add additional IP addresses, repeat steps 3–6.