Server-Level FTP Options
You can set options for decoding on multiple FTP servers. Each server profile you create contains the server IP address and the ports on the server where traffic should be monitored. You can specify which FTP commands to validate and which to ignore for a particular server, and set maximum parameter lengths for commands. You can also set the specific command syntax the decoder should validate against for particular commands and set alternate maximum command parameter lengths.
If no preprocessor rule is mentioned in the following descriptions, the option is not associated with a preprocessor rule.
Networks
Use this option to specify one or more IP addresses of FTP servers.
You can specify a single IP address or address block, or a comma-separated list comprised of either or both. You can configure up to 1024 characters, and you can specify up to 255 profiles including the default profile.
Note that the
default setting in the default policy specifies all IP
addresses on your monitored network segment that are not covered by another
target-based policy. Therefore, you cannot and do not need to specify an IP
address or address block for the default policy, and you cannot leave this
setting blank in another policy or use address notation to represent
any (for example, 0.0.0.0/0 or ::/0).
Ports
Use this option to specify the ports on the FTP server where the managed device should monitor traffic. In the interface, list multiple ports separated by commas. Port 21 is the well-known port for FTP traffic.
File Get Commands
Use this option to define the FTP commands used to transfer files from server to client. Do not change these values unless directed to do so by Support.
Caution | Do not modify the File Get Commands field unless directed to by Support. |
File Put Commands
Use this option to define the FTP commands used to transfer files from client to server. Do not change these values unless directed to do so by Support.
Caution | Do not modify the File Put Commands field unless directed to by Support. |
Additional FTP Commands
Use this line to specify the additional commands that the decoder should detect. Separate additional commands by spaces.
Additional commands you may want to add include
XPWD,
XCWD,
XCUP,
XMKD, and
XRMD. For more information on these commands, see RFC
775, the Directory oriented FTP commands specification by the Network Working
Group.
Default Max Parameter Length
Use this option to detect the maximum parameter length for commands where an alternate maximum parameter length has not been set. You can add as many alternative maximum parameter lengths as needed.
You can enable rule 125:3 to generate events and, in an inline deployment, drop offending packets for this option. See Setting Intrusion Rule States.
Alternate Max Parameter Length
Use this option to specify commands where you want to detect a different maximum parameter length, and to specify the maximum parameter length for those commands. Click Add to add lines where you can specify a different maximum parameter length to detect for particular commands.
Check Commands for String Format Attacks
Use this option to check the specified commands for string format attacks.
You can enable rule 125:5 to generate events and, in an inline deployment, drop offending packets for this option. See Setting Intrusion Rule States.
Command Validity
Use this option to enter a valid format for a specific command. Click Add to add a command validation line.
You can enable rules 125:2 and 125:4 to generate events and, in an inline deployment, drop offending packets for this option. See Setting Intrusion Rule States.
Ignore FTP Transfers
Use this option to improve performance on FTP data transfers by disabling all inspection other than state inspection on the data transfer channel.
Note | To inspect data transfers, the global FTP/Telnet Stateful Inspection option must be selected. |
Detect Telnet Escape Codes within FTP Commands
Use this option to detect when telnet commands are used over the FTP command channel.
You can enable rule 125:1 to generate events and, in an inline deployment, drop offending packets for this option. See Setting Intrusion Rule States.
Ignore Erase Commands during Normalization
When Detect Telnet Escape Codes within FTP Commands is selected, use this option to ignore telnet character and line erase commands when normalizing FTP traffic. The setting should match how the FTP server handles telnet erase commands. Note that newer FTP servers typically ignore telnet erase commands, while older servers typically process them.
Troubleshooting Option: Log FTP Command Validation Configuration
Support might ask you during a troubleshooting call to configure your system to print the configuration information for each FTP command listed for the server.
Caution | Do not enable Log FTP Command Validation Configuration unless instructed to do so by Support. |