It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure Virus Scanning in the Firewall for FTP Traffic

  • Last updated on

The firewall scans FTP  traffic for malware on a per-access-rule basis when FTP virus scanning in the firewall is enabled. Both active and passive FTP is supported; outgoing SSL-encrypted FTPS connection are also supported. Depending on the access rule, you can either protect your FTP server from uploads containing malware, or scan files downloaded from external FTP servers. Scanning incoming traffic for FTPS servers is not supported. Since the FTP protocol does not contain any MIME-type information, all files are scanned regardless of the MIME type list configured for the virus scanner. When an FTP download is initiated, the FTP client creates a local, zero-byte file. Normally, the transferred data would be written to this file until the download is finished. However, if the file is determined to be malware, the connection is terminated immediately, leaving the zero-byte file or file fragment (if data trickling is enabled) on the client. Depending on the FTP client, it may attempt to download the file multiple times; each time the connection will be reset by the firewall. If ATP is enabled, files passed by the virus scanner are then uploaded to be analyzed in the Barracuda ATP Cloud. ATP can be used only in the deliver first, then scan mode for FTP client connections. Files uploaded to FTP servers behind the firewall cannot be scanned by ATP.

virus_scanning_ftp_traffic_atp-01.png

Before You Begin

Step 1. Enable the Virus Scanner for FTP

Enable support for virus scanning FTP connections in the firewall.

  1. Go to FIREWALL > Settings.
  2. Make sure that Application Control is enabled.

  3. In the Virus Scanner section:
    1. Set Enable Virus Scanner to Yes.
    2. Set Enable for FTP to Yes.
       virus_protection_ftp_68_02.png
  4. (optional) Click Show to configure Advanced Options:

    Changing settings for the Virus Scanner also affects virus scanning for other services. 

    1. Change the default behavior If Virus Scanning is not available.
      • Block All – (default) Block all files.

      • Allow All –  All files will be allowed.

    2. Configure the following settings:
      • Block Large Files / Large File Limit – To block files that exceed the Large File Limit, enable Block Large Files. The large file policy is set to a sensible value for your appliance. The maximum value is 1024 MB. If disabled, large files will not be scanned. Instead, they will be delivered directly to the client.
      • Data Trickling – Change how fast and how much data is transmitted. Change these settings if your FTP client times out while waiting for the file to be scanned.
    3. Click Save.
  5. Click Save.

Step 2. Create an Access Rule for FTP Client Downloads

To scan files downloaded from external FTP servers, create a matching access rule and enable Application Control and the Virus Scanner.

  1. Go to FIREWALL > Access Rules.
  2. Create an access rule with the following settings:
    • Action – Select Allow.
    • Connection – Select Dynamic NAT.
    • Source – Select Trusted LAN, and click +.
    • Network Services – Select FTP, and click +.
    • Destination –  Select Internet, and click +.
  3. Enable Application Control and Virus Scanner.
     virus_protection_ftp_68_03.png
  4. Click Save.

Step 3. (optional) Create a Dst NAT Access Rule to Protect an Internal FTP Server

To protect an internal FTP server from receiving infected files, create a matching DNAT access rule, and enable Application Control and the Virus Scanner.

  1. Go to FIREWALL > Access Rules.
  2. Create an access rule with the following settings:
    • Action – Select Dst NAT.
    • Connection – Select Original Source IP.
    • Source – Select Internet, and click +.
    • Network Services – Select FTP, and click +.
    • Destination –  Enter the public IP address or FQDN used for your FTP server, and click +.
    • Redirect – Enter the IP address of your internal FTP server. When using more than one FTP servers, select Use Network Object as Target and add a network object. For more information, see How to Create Network Objects.
  3. Enable Application Control and Virus Scanner.
     virus_protection_ftp_68_04.png
  4. Click Save.

Monitoring and Testing

You can test the Virus Scanner setup by downloading EICAR test files from an FTP server. Files that are malware are not downloaded. 0-byte stub files are created by the FTP client.

To monitor detected viruses and malware, go to the BASIC > Recent Threats page.

virus_protection_ftp_68_05.png

Next Steps

To combine ATP with virus scanning, see Advanced Threat Protection (ATP) and How to Configure ATP in the Firewall.