Allowing Users to Use FTP only for File Download But Not for File Upload

Application behavior control is enabled on the FW to allow users to use FTP only for file download, but not for file upload.

Faced Problems

As shown in Figure 1, an enterprise deploys the FW as a gateway to connect the intranet to the Internet. The enterprise provides an FTP server for intranet users to communicate with Internet users. The intranet users and Internet users use the same public account to access the FTP server. Intranet users upload files to and download files from the FTP server to process related services.

The Internet users also have the permission to upload files to and download files from the FTP server. Some Internet users upload malicious files or invalid files, endangering network security.

Figure 1 Allowing users to use FTP only for file download but not for file upload

Solution

With the application behavior control function, the FW controls FTP-based file upload and allows Internet users only to download files from the FTP server, but not to upload files to the FTP server.

Reference the application behavior control profile in the security policy that permits Internet users to access the FTP server to disable the users from uploading files to the FTP server.

Log in to the web UI of the FW as the administrator.
Choose Object > Security Profiles > Application Behavior Control.
Click Add to create application behavior control profile profile_appc. In FTP Behavior Control, set FTP File Upload to Deny.
Click OK.
Choose Policy > Security Policy > Security Policy.

Click Add Security Policy. Configure matching conditions for the security policy as required and reference application behavior control profile profile_appc in the security policy.

Set security policy parameters as follows:

Content Security
Name	policy1
Source Zone	untrust
Destination Zone	dmz
Destination Address/Region	192.168.1.100/255.255.255.255
Action	Permit
Application Behavior Control	profile_appc

Click OK.

Verification

Internet users can only download files from the FTP server, but cannot upload files to the FTP server. Intranet users can upload files to and download files from the FTP server.

Choose Monitor > Log > Content Log. You can view the application behavior control logs generated by the FW.

Configuration Scripts

The configuration script related to the example is as follows:

#                                                                                                                                   
profile type app-control name profile_appc                                                                                          
 ftp-control file direction upload action deny                                                                                      
#                                                                                                                                   
security-policy                                                                                                                     
 rule name policy1                                                                                                                  
  source-zone untrust                                                                                                               
  destination-zone dmz                                                                                                              
  destination-address 192.168.1.100 mask 255.255.255.255                                                                            
  profile app-control profile_appc                                                                                                  
  action permit                                                                                                                     
#