The firewall scans FTP traffic for malware on a per-access-rule basis when FTP virus scanning in the firewall is enabled. Both active and passive FTP is supported; outgoing SSL-encrypted FTPS connection are also supported. Depending on the access rule, you can either protect your FTP server from uploads containing malware, or scan files downloaded from external FTP servers. Scanning incoming traffic for FTPS servers is not supported. Since the FTP protocol does not contain any MIME-type information, all files are scanned regardless of the MIME type list configured for the virus scanner. When an FTP download is initiated, the FTP client creates a local, zero-byte file. Normally, the transferred data would be written to this file until the download is finished. However, if the file is determined to be malware, the connection is terminated immediately, leaving the zero-byte file or file fragment (if data trickling is enabled) on the client. Depending on the FTP client, it may attempt to download the file multiple times; each time the connection will be reset by the firewall. If ATP is enabled, files passed by the virus scanner are then uploaded to be analyzed in the Barracuda ATP Cloud. ATP can be used only in the deliver first, then scan mode for FTP client connections. Files uploaded to FTP servers behind the firewall cannot be scanned by ATP.
Before You Begin
- (optional) Configure ATP in the firewall. For more information, see How to Configure ATP in the Firewall.
- (optional) Configure SSL Interception for outbound FTPS traffic. For more information, see How to Configure SSL Interception in the Firewall.
Step 1. Enable the Virus Scanner for FTP
Enable support for virus scanning FTP connections in the firewall.
- Go to FIREWALL > Settings.
Make sure that Application Control is enabled.
- In the Virus Scanner section:
- Set Enable Virus Scanner to Yes.
- Set Enable for FTP to Yes.
-
(optional) Click Show to configure Advanced Options:
-
Change the default behavior If Virus Scanning is not available.
Block All – (default) Block all files.
Allow All – All files will be allowed.
- Configure the following settings:
- Block Large Files / Large File Limit – To block files that exceed the Large File Limit, enable Block Large Files. The large file policy is set to a sensible value for your appliance. The maximum value is 1024 MB. If disabled, large files will not be scanned. Instead, they will be delivered directly to the client.
- Data Trickling – Change how fast and how much data is transmitted. Change these settings if your FTP client times out while waiting for the file to be scanned.
- Click Save.
-
Change the default behavior If Virus Scanning is not available.
- Click Save.
Step 2. Create an Access Rule for FTP Client Downloads
To scan files downloaded from external FTP servers, create a matching access rule and enable Application Control and the Virus Scanner.
- Go to FIREWALL > Access Rules.
- Create an access rule with the following settings:
- Action – Select Allow.
- Connection – Select Dynamic NAT.
- Source – Select Trusted LAN, and click +.
- Network Services – Select FTP, and click +.
- Destination – Select Internet, and click +.
- Enable Application Control and Virus Scanner.
- Click Save.
Step 3. (optional) Create a Dst NAT Access Rule to Protect an Internal FTP Server
To protect an internal FTP server from receiving infected files, create a matching DNAT access rule, and enable Application Control and the Virus Scanner.
- Go to FIREWALL > Access Rules.
- Create an access rule with the following settings:
- Action – Select Dst NAT.
- Connection – Select Original Source IP.
- Source – Select Internet, and click +.
- Network Services – Select FTP, and click +.
- Destination – Enter the public IP address or FQDN used for your FTP server, and click +.
- Redirect – Enter the IP address of your internal FTP server. When using more than one FTP servers, select Use Network Object as Target and add a network object. For more information, see How to Create Network Objects.
- Enable Application Control and Virus Scanner.
- Click Save.
Monitoring and Testing
You can test the Virus Scanner setup by downloading EICAR test files from an FTP server. Files that are malware are not downloaded. 0-byte stub files are created by the FTP client.
To monitor detected viruses and malware, go to the BASIC > Recent Threats page.
Next Steps
To combine ATP with virus scanning, see Advanced Threat Protection (ATP) and How to Configure ATP in the Firewall.