Anyone using Standard-Mode FTP Proxy?

Here is my understanding of how UTM will behave in different configurations and client actions.   Understanding how a defense technology works seems essential to choosing and implementing a security policy.

FTP using standard port 21

FTP using non-standard port, such as 9999:

General Notes:

FTP proxy provides extraordinarily poor logging.   I indicated earlier that my tests using ftp in a web browser produced a log with source IP but nothing about target host, IP, or action performed.

FTP proxy has the advantage that one can easily implement a whitelist-only configuration, so that users can only ftp to specifically listed internet destinations.   For Web Proxy, this can probably be configured using regular expressions to configure allow and block rules in the Filter Action.    This assumption requires testing, but we can agree that that if it works it is certainly more difficult to configure correctly, and more flexible in how it can be applied.

For non-standard ports, FTP proxy is presumed to allow all ports by default, since there is no configuration related to this possibility.   Web Proxy will block non-standard ports unless they are authorized on the Filtering Options... Misc... tab.

When traffic is processed by firewall rules, the firewall considers IP addresses and ports, but I don't believe there is any attempt to interpret traffic by protocol.   So it cannot actually filter on "FTP" protocol, it can only filter based whether traffic is allowed or blocked to port 21 or 9999. 

What if I want User-Based Policy Rules for FTP?

Web Proxy implements user-based filtering and logging, but as I indicated earlier, Chrome does not pass the HTLM information needed for UTM to apply FTP user filtering on a transparent basis.

FTP Proxy does not seem to implement any user-based filtering or logging.

Firewall Rules can filter on "user network" objects, but my understanding is that they represent the current IP address of a user on a VPN Client connection.  As such, they could be used anywhere an IP address can be used (such as a Source IP filter list for Web Proxy or FTP Proxy), but they are not applicable to non-VPN connections, they will not provide user identity in the FTP logs, and the user must identify himself to Web Proxy by another method.

Conclusions

Based on all of the above, I conclude that Standard Web Proxy is the best of the available options, which can be enforced by using firewall rules to block port 21 and 2121, and disabling both Transparent and Non-Transparent FTP Proxies.

But can I use a non-browser with Standard Web Proxy?

The Microsoft FTP client knows nothing about proxies and has no proxy configuration options.  So probably not.

I reviewed configuration options for two FTP client applications, WinSCP and FTP Voyager.  Both of these products provided options to support multiple proxy technologies, including HTTP.   So if you have the right client application, the answer is yes.

Follow-Up:

This is really two questions for the community:   Do I have my facts straight, and do you agree with my conclusions?

"But can I use a non-browser with Standard Web Proxy?

"The Microsoft FTP client knows nothing about proxies and has no proxy configuration options.  So probably not."

Try FileZilla, Doug.

Cheers - Bob

I was working through the corporate control issues when I asked that, and have since looked more closely at what good ftp clients can do.   The good ones support multiple proxy methods, but none seem to be able to use the system settings, as they cannot be expected to parse proxy.pac files.

The tough policy nut is blocking ftp login prompts, since these are unencrypted.

I was working through the corporate control issues when I asked that, and have since looked more closely at what good ftp clients can do.   The good ones support multiple proxy methods, but none seem to be able to use the system settings, as they cannot be expected to parse proxy.pac files.

The tough policy nut is blocking ftp login prompts, since these are unencrypted.