Professional Documents
Culture Documents
Student Guide
FTP Proxy
Configuring the FTP Proxy
Appliance Firebox® X Core / Firebox X Core e-Series / Firebox X Peak /Firebox X Peak e-Series
Appliance software versions Fireware® and Fireware Pro 10
Management software versions WatchGuard® System Manager 10
Training module FTP Proxy
Before you do the exercises, be sure to read and become familiar with the information in the “Course
Introduction“ training module available at:
http://www.watchguard.com/training/courses.asp
Proxy Actions
A proxy action is a set of rules that control how the Firebox applies a proxy to control traffic of a particular
type. Policy Manager includes at least one proxy action ruleset for each proxy. Many proxies, such as FTP,
include both a client and a server proxy action. You can either use the default rulesets provided or
customize the proxy action.
When you modify the settings of a proxy action, such as changing the types of file downloads that are
allowed, Policy Manager creates a new proxy action based on the proxy action you modified and keeps the
1
original proxy action and its default settings unmodified. For example, modified FTP-Client proxy action
would create an ‘FTP-Client.1’ proxy that could be applied to other FTP policies in the future. The original
proxy action is always available, since it is never actually changed when these new actions are ‘cloned’.
You can also import proxy actions, rulesets, WebBlocker exceptions, and spamBlocker exceptions. This
significantly reduces setup time when you have multiple policies or multiple Fireboxes.
When you add an FTP proxy policy to your Firebox® configuration, you get access to two proxy actions. You
can use the default rulesets included with these proxy actions, or you can use the rulesets as a base for a
proxy action to meet the needs of your organization. This module shows you how to customize these two
proxy actions.
FTP-Client
This proxy action includes rulesets to control FTP commands sent from computers protected by your
Firebox. FTP client applications use specific commands that the Firebox can identify and control. Use the
FTP-Client proxy action to control outbound FTP traffic.
FTP-Server
This proxy action controls inbound FTP connections to an FTP server protected by your Firebox. The
default configuration includes rules that prevent commands and actions that frequently indicate an
attack on your FTP server.
FTP Proxy 3
Protocol Command Client Command Description
NLST dir Detailed listing of files in the current directory path
CDUP cd.. Move up in the server’s directory tree
CWD cd <path> Change to a specific directory on the server
SITE site <command> Send server-specific command. This command is
associated with FTP denial of service attacks and is often
blocked for all FTP-Server proxy configurations.
Download
The Download ruleset controls the file names, extensions, or URL paths that users can use FTP to
download. Use the FTP-Server proxy action to control download rules for an FTP server protected by the
Firebox. Use the FTP-Client proxy action to set download rules for users connecting to external FTP
servers.
Upload
The Upload ruleset controls the file names, extensions, or URL paths that users can use FTP to upload. Use
the FTP-Server proxy action to control upload rules for an FTP server protected by the Firebox. Use the
FTP-Client proxy action to set upload rules for users connecting to external FTP servers. The default
configuration of the FTP-Client is to allow all files to be uploaded.
Antivirus
If you have purchased and enabled the Gateway AntiVirus feature, the fields in the AntiVirus category set
the actions necessary if a virus is found in a file that is uploaded or downloaded. For more information,
see the “Signature Services“ training module.
Intrusion Prevention
You can use the Intrusion Prevention Service (IPS) to monitor the FTP control channel to look for
signatures that match those in the IPS database. This option is available when you purchase a license for
the optional Intrusion Prevention Service.
Proxy and AV Alarm
An alarm is a mechanism to tell a network administrator when network traffic matches criteria for
suspicious traffic or content. When an alarm event occurs, the Firebox does an action that you configure.
For example, you can set a threshold value for file length. If the file is larger than the threshold value, the
Firebox can send a log message to the Log Server.
2. Click the plus (+) sign on the Policy Manager toolbar to open the Policies dialog box.
You can also select Edit > Add Policy.
3. Expand the Proxies folder. Click FTP-proxy to select it. Click Add.
The New Policy Properties dialog box appears.
4. In the Name text box, type FTP-Proxy-Client .
The Name identifies the policy in your policy list.
5. Select the Properties tab. Make sure that FTP-Client is the selected proxy action.
6. Click .
The FTP Proxy Configuration dialog box appears for the FTP-Client action.
FTP Proxy 5
4. Select the check boxes adjacent to Alarm and Log.
This tells the Firebox to send a notification each time an FTP client tries to use the STOR command that is denied by
the Firebox. At the same time, the Firebox also sends a log message about the denied event to the Log Server.
4. Select *.scr. Make sure that under Actions to Take, the If matched value is set to Deny. You can use ? for a single
character. For example, if
you type *Sc? in the
Pattern text box, you
match a.scr or b.Sci or
c.scZ.
FTP Proxy 7
In Fireware v9.1 and 3. Click OK to close the FTP Proxy Configuration dialog box.
higher, you can export
custom proxy Because FTP-Client is a template, you cannot change it. You can only make a copy and use it for your policies.
configurations from one 4. Click OK to clone the template.
configuration to an XML
file, and then import the The default name for a clone is FTP-Client.1. You can also give it a friendly name to help you recognize it.
ruleset to another The Edit Policy Properties dialog box appears. The proxy action selected is FTP-Client.1.
Firebox configuration
file. You can see the 5. Click OK to close the New Policy Properties dialog box. Click Close to close the Add Policies dialog
Import and Export box.
functions when you look
at a proxy ruleset in the
Advanced view.
Exercise 2: Configure an FTP-Server Proxy Action
In this exercise, you edit the predefined FTP-Server ruleset to restrict the types of FTP connections to the
Successful Company FTP server. Specifically, you will:
• Make sure that no user connecting to the Successful FTP server is able to delete a file on the server.
• Restrict the type of files that users can upload to the FTP server to text files only, to help prevent abuse of
the Successful Company FTP server as a warez repository.
4. Click the Properties tab. Use the Proxy action drop-down list to select FTP-Server. Click .
5. From the Categories list, select Commands.
The table in “FTP Proxy Rulesets” on page 3 shows that the command to delete files from a server is DELE. The DELE*
command appears in the rules list in the FTP-Server template, and the default configuration allows connection.
7. Clear the check box adjacent to Allow DELE*. Click Edit. The default FTP-Server
The Edit Command Rules dialog box appears for the Rule Name DELE*. proxy action template
denies any FTP
8. Below Rule Actions, use the Action drop-down list to select Deny. command to the server
that is not on the list. In
other words, most
commands to your FTP
server will not operate.
This is a strong security
policy that allows only
the minimum number of
commands needed to
meet your business
requirements.
9. Click OK to close the Edit Commands Rule dialog box. Select the check box adjacent to Deny DELE* to
enable the rule.
This rule tells the Firebox to deny any FTP connections that try to delete a file from the FTP server.
FTP Proxy 9
Restrict FTP File uploads to text only
In this section, you allow a user to save a text file to the Successful Company FTP server.
1. From the Categories list, select Upload.
2. In the Pattern text box, type *.txt . Click Add.
3. In the Actions to Take section, use the If Matched drop-down list to select Allow.
This tells the Firebox to allow the upload of files with the *.txt file extension to the FTP server.
FTP Proxy 11
Test Your Knowledge
Use these questions to practice what you have learned and exercise new skills.
1. True or False: You must use the FTP proxy if you want to use the File Transfer Protocol through the
Firebox. The FTP packet filter does not handle active mode.
2. Fill in the blanks: A ______________ examines the commands used in a connection to make sure they
are in the correct syntax and order. A ________________ examines only the packet IP header
information.
3. Select the best pattern match to block FTP upload of Microsoft Excel spreadsheets:
A) *.xls
B) *XLS
D) secure_file.*ls
E) All of the above
Use the information in this screen capture to answer the next two questions.
4. True or False: If an FTP server is protected with an FTP proxy server ruleset with this configuration, an FTP
client will be able to log in to this FTP server.
5. Which of these FTP client commands can be successfully used, based on the commands shown in the
image above?
A) site
B) dir
C) help
D) syst
E) pasv
F) bin
G) get
H) None of the above
I) All of the above
6. Fill in the blank: To control access to an FTP server on your optional network, start with the
_____________ proxy action.
6. FTP-Server
5. B, D, G
4. True — The necessary FTP protocol commands USER and PASS are allowed and will allow authentication.
3. A
2. proxy, packet filter
1. False — Both the FTP packet filter and the FTP proxy can handle active mode FTP.
ANSWERS
FTP Proxy 13
14 WatchGuard Firewall Basics