FTP Control

Application Control provides control over the FTP control channel and FTP uploads and downloads with the FTP Command and File Content match object types. Using these, you can regulate FTP usage very effectively. The following two use cases are described in this section:
Blocking Outbound Proprietary Files Over FTP
Blocking Outbound UTF-8 / UTF-16 Encoded Files
Blocking FTP Commands

Blocking Outbound Proprietary Files Over FTP

For example, to block outbound file transfers of proprietary files over FTP, you can create a policy based on keywords or patterns inside the files.

To block outbound proprietary files:
1
Create a match object of type File Content that matches on keywords in files.

Optionally, you can create a customized FTP notification action that sends a message to the client.

2
Create a policy that references this match object and action. If you prefer to simply block the file transfer and reset the connection, you can select the Reset/Drop action when you create the policy.

Blocking Outbound UTF-8 / UTF-16 Encoded Files

Native Unicode UTF-8 and UTF-16 support by Application Control allows encoded multi-byte characters, such as Chinese or Japanese characters, to be entered as match object content keywords using the alphanumeric input type. Application Control supports keyword matching of UTF-8 encoded content typically found in Web pages and email applications, and UTF-16 encoded content typically found in Windows OS/Microsoft Office based documents.

Blocking outbound file transfers of proprietary Unicode files over FTP is handled in the same way as blocking other confidential file transfers:

1
Create a match object that matches on UTF-8 or UTF-16 encoded keywords in files.
2
Create a policy that references the match object and blocks transfer of matching files.

The example shown below uses a match object type of File Content with a UTF-16 encoded Chinese keyword that translates as “confidential document.”

3
Create a policy that references the match object, as shown below. This policy blocks the file transfer and resets the connection. Enable Logging is selected so that any attempt to transfer a file containing the UTF-16 encoded keyword is logged.

A log entry is generated after a connection Reset/Drop. An example of a log entry is shown below, including the Message stating that it is an Application Control Alert, displaying the Policy name and the Action Type of Reset/Drop.

Blocking FTP Commands

You can use Application Control to ensure that your FTP server is read-only by blocking commands such as put, mput, rename_to, rename_from, rmdir, and mkdir. This use case shows an match object containing only the put command, but you could include all of these commands in the same match object.

To block FTP commands:
1
Create a match object that matches on the put command. Because the mput command is a variation of the put command, a match object that matches on the put command will also match on the mput command.

2
Optionally, you can create a customized FTP notification action that sends a message to the client; for example:

3
Create a policy that references this match object and action. If you prefer to simply block the put command and reset the connection, you can select the Reset/Drop action when you create the policy.