Creating an FTP command restriction rule
Certain FTP commands can expose your server(s) to attack. Configure FTP command restriction rules to specify acceptable FTP commands that clients can use to communicate with your server(s). For example, because attackers can exploit the PORT
command to carry out FTP bounce attacks, restricting the PORT
command can harden your network's security if you're using FTP.
For details about applying an FTP command restriction rule to an FTP server policy, see Configuring an FTP security inline profile.
You can place restrictions on the following FTP commands:
|
|
|
To create an FTP command restriction rule
If FTP security isn't enabled in Feature Visibility, you must enable it before you can create an FTP command restriction rule. To enable FTP security, go to System > Config > Feature Visibility and enable FTP Security. |
- Go to FTP Security > FTP Command Restriction.
- Click Create New.
- Configure these settings:
-
Alert—Accept the connection and generate an alert email and/or log message.
-
Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.
-
Deny (no log)—Block the request (or reset the connection).
-
Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
- Informative
- Low
- Medium
- High
- From the list of Available Commands, Select the FTP command(s) that you want to include in the rule. Use the arrows to move the command(s) to the list of Enabled Commands.
- Click OK.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
Name |
Enter a unique name that can be referenced in other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters. |
Select which action FortiWeb will take when it detects a violation of the rule: The default value is Alert & Deny. Note: This setting will be ignored if Monitor Mode is enabled in a server policy. Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email. |
|
Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the rule. The valid range is 1–3,600 seconds (1 hour). See also Monitoring currently blocked IPs. This setting is available only if Action is set to Period Block. |
|
Severity |
When rule violations are recorded in the attack log, each log message contains a Severity Level ( The default value is Medium. |
Trigger Policy |
Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages. |
Note: You can select multiple FTP commands by holding SHIFT or ALT when clicking commands.