It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

This Product is End-of-Life and End-Of-Support

End-Of-Life and End-Of-Support on December 1st, 2020: All Barracuda Firewall X-Series sales will cease; neither new sales nor any renewals will be available. If you currently hold a maintenance and support contract, you will continue to receive our award-winning support and services until your contract expires. Please see the End-Of-Life definition as described in the End of Support and End of Life Information.

How to Configure Virus Scanning in the Firewall for FTP Traffic

  • Last updated on

The X-Series Firewall scans FTP  traffic for malware on a per-access-rule basis when FTP virus scanning in the firewall is enabled. Both active and passive FTP is supported; SSL-encrypted FTP is not supported. Depending on the access rule, you can either protect your FTP server from uploads containing malware, or scan files downloaded from external FTP servers. Since the FTP protocol does not contain any MIME-type information, all files are scanned regardless of the MIME-type list configured for the virus scanner. When an FTP download is initiated, the FTP client creates a local, zero-byte file. Normally, the transferred data would be written to this file until the download is finished. However, if the file is determined to be malware, the connection is terminated immediately, leaving the zero-byte file or file fragment (if data trickling is enabled) on the client. Depending on the FTP client, it may attempt to download the file multiple times; each time the connection will be reset by the firewall.

virus_protection_ftp_68_01.png

Step 1. Enable Virus Protection for FTP

Enable support for virus scanning FTP connections in the firewall.

  1. Go to the FIREWALL > Settings page.
  2. Make sure that Application Control is enabled.

  3. In the Virus Protection section,
    1. Set Enable Virus Protection to Yes.
    2. Set Enable for FTP to Yes.
      virus_protection_ftp_68_02.png 
  4. (optional) Click Show to configure Advanced Options:

    Changing settings for the virus scanner also affects virus scanning for other services. 

    1. Change the default behavior If Virus Scanner is not available.
      • Block All – (default) Block all files.

      • Allow All –  All files will be allowed.

    2. Configure the following settings:
      • Block Large Files / Large File Limit – To block files that exceed the Large File Limit, enable Block Large Files. The large file policy is set to a sensible value for your appliance. The maximum value is 1024 MB. If disabled, large files will not be scanned. Instead, they will be delivered directly to the client.
      • Data Trickling – Change how fast and how much data is transmitted. Change these settings if your FTP client times out while waiting for the file to be scanned.
    3. Click Save.
  5. Click Save.

Step 2. Create an access rule for FTP client downloads

To scan files downloaded from external FTP servers, create a matching access rule and enable Application Control and Virus Protection.

  1. Go to FIREWALL > Firewall Rules.
  2. Create an access rule with the following settings:
    • Action – Select Allow.
    • Connection – Select Dynamic SNAT.
    • Source – Select Trusted LAN, and click +.
    • Network Services – Select FTP, and click +.
    • Destination –  Select Internet, and click +.
  3. Enable Application Control and Virus Protection.
    virus_protection_ftp_68_03.png 
  4. Click Save.

Step 3. (optional) Create a DNAT access rule to protect an internal FTP server

To protect an internal FTP server from receiving infected files, create a matching DNAT access rule, and enable Application Control and Virus Protection.

  1. Go to FIREWALL > Firewall Rules.
  2. Create an access rule with the following settings:
    • Action – Select DNAT.
    • Connection – Select No SNAT.
    • Source – Select Internet, and click +.
    • Network Services – Select FTP, and click +.
    • Destination –  Enter the public IP address or FQDN used for your FTP server, and click +.
    • Redirect – Enter the IP address(es) of your internal FTP server(s), and click +.
  3. Enable Application Control and Virus Protection.
    virus_protection_ftp_68_04.png 
  4. Click Save.

Monitoring and testing

You can test the virus scanner setup by downloading EICAR test files from an FTP server. Files that are malware are not downloaded. 0-byte stub files are created by the FTP client.

To monitor detected viruses and malware, go to the BASIC > Recent Threats page.

virus_protection_ftp_68_05.png