Inbound FTP Passive Mode

The 3 FTP proxy options are described inside this post.

https://community.sophos.com/products/unified-threat-management/f/recommended-reads/115522/sophos-utm-securing-and-configuring-web-filtering

All of the proxies are intended to protect client systems from malicious server content, so I don't think they are useful for your situation.   Using them for inbound traffic might create vulnerabilities.  Since the proxies bypass Firewall Rules, you have to be sure that the proxy allows only what you intend to allow.  You can replace Firewall Rule blocks with DNAT-to-DeadEnd rules, but it is clumsy.

I don't see any incremental risk from allowing all of those ports to be open on UTM, since they will only be open on the FTP server when they are needed.

The related issue is to understand the inadequacy of FTP.   Neither the login nor the download is encrypted, so a login-based FTP is unwise, and downloading sensitive data may be unwise.   Any login from the internet should be moving to 2-factor authentication instead of just username and password.

Your better options are:

• FTPS, which is easy to do with Microsoft's IIS web server
• SFTP
• WAF with downloadable links
• VPN client

I believe that any of the first three options can be implemented with or without logins.   Most or all of the options also eliminate the dual-session problem -- I am fuzzy about SFTP as I have not configured an SFTP site.

The 3 FTP proxy options are described inside this post.

https://community.sophos.com/products/unified-threat-management/f/recommended-reads/115522/sophos-utm-securing-and-configuring-web-filtering

All of the proxies are intended to protect client systems from malicious server content, so I don't think they are useful for your situation.   Using them for inbound traffic might create vulnerabilities.  Since the proxies bypass Firewall Rules, you have to be sure that the proxy allows only what you intend to allow.  You can replace Firewall Rule blocks with DNAT-to-DeadEnd rules, but it is clumsy.

I don't see any incremental risk from allowing all of those ports to be open on UTM, since they will only be open on the FTP server when they are needed.

The related issue is to understand the inadequacy of FTP.   Neither the login nor the download is encrypted, so a login-based FTP is unwise, and downloading sensitive data may be unwise.   Any login from the internet should be moving to 2-factor authentication instead of just username and password.

Your better options are:

• FTPS, which is easy to do with Microsoft's IIS web server
• SFTP
• WAF with downloadable links
• VPN client

I believe that any of the first three options can be implemented with or without logins.   Most or all of the options also eliminate the dual-session problem -- I am fuzzy about SFTP as I have not configured an SFTP site.

So they're all to protect the client. Even the FTP proxy under Web Protection.

Agreed, plain FTP is insecure and shouldn't be used when other options are available. I've set up my FTP server to only use TLS. But didn't want my original post complicated with TLS discussion. The ports used are still the same (on my setup), so that was what I needed to know about.

I definitely want to be able to block IP ranges or hosts from incoming traffic. It's been my observation that when the Generic Proxy I had set up for FTP traffic didn't require any firewall rules I thought I was missing something. But apparently I'm not. It would be nice if the Generic proxy & FTP Proxy had better access control instead of just "include" lists.

But it is what it is.

I'll just stick to the DNAT & Firewall rules and skip any proxying.

Thanks for the feedback, Douglas.