Fortinet black logo

Administration Guide

Creating an FTP command restriction rule

Creating an FTP command restriction rule

Certain FTP commands can expose your server(s) to attack. Configure FTP command restriction rules to specify acceptable FTP commands that clients can use to communicate with your server(s). For example, because attackers can exploit the PORT command to carry out FTP bounce attacks, restricting the PORT command can harden your network's security if you're using FTP.

For details about applying an FTP command restriction rule to an FTP server policy, see Configuring an FTP security inline profile.

You can place restrictions on the following FTP commands:

  • ABOR

  • ACCT

  • ALLO

  • APPE

  • AUTH

  • CDUP

  • CWD

  • DELE

  • EPRT

  • EPSV

  • FEAT

  • HELP

  • LIST

  • MDTM

  • MKD

  • MLSD

  • MODE

  • NLST

  • OPTS

  • PASS

  • PASV

  • PORT

  • PROT

  • PWD

  • QUIT

  • REIN

  • REST

  • RETR

  • RMD

  • RNFR

  • RNTO

  • SITE

  • SIZE

  • SMNT

  • STAT

  • STOR

  • STOU

  • STRU

  • SYST

  • TYPE

  • USER

  • XCUP

  • XMKD

  • XPWD

  • XRMD

To create an FTP command restriction rule
tooltip icon

If FTP security isn't enabled in Feature Visibility, you must enable it before you can create an FTP command restriction rule. To enable FTP security, go to System > Config > Feature Visibility and enable FTP Security.

  1. Go to FTP Security > FTP Command Restriction.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  3. Click Create New.
  4. Configure these settings:
  5. Name

    Enter a unique name that can be referenced in other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.

    Action

    Select which action FortiWeb will take when it detects a violation of the rule:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

    The default value is Alert & Deny.

    Note: This setting will be ignored if Monitor Mode is enabled in a server policy.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

    Block Period

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the rule. The valid range is 1–3,600 seconds (1 hour). See also Monitoring currently blocked IPs.

    This setting is available only if Action is set to Period Block.

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is Medium.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.

  6. From the list of Available Commands, Select the FTP command(s) that you want to include in the rule. Use the arrows to move the command(s) to the list of Enabled Commands.
  7. Note: You can select multiple FTP commands by holding SHIFT or ALT when clicking commands.

  8. Click OK.

Creating an FTP command restriction rule

Certain FTP commands can expose your server(s) to attack. Configure FTP command restriction rules to specify acceptable FTP commands that clients can use to communicate with your server(s). For example, because attackers can exploit the PORT command to carry out FTP bounce attacks, restricting the PORT command can harden your network's security if you're using FTP.

For details about applying an FTP command restriction rule to an FTP server policy, see Configuring an FTP security inline profile.

You can place restrictions on the following FTP commands:

  • ABOR

  • ACCT

  • ALLO

  • APPE

  • AUTH

  • CDUP

  • CWD

  • DELE

  • EPRT

  • EPSV

  • FEAT

  • HELP

  • LIST

  • MDTM

  • MKD

  • MLSD

  • MODE

  • NLST

  • OPTS

  • PASS

  • PASV

  • PORT

  • PROT

  • PWD

  • QUIT

  • REIN

  • REST

  • RETR

  • RMD

  • RNFR

  • RNTO

  • SITE

  • SIZE

  • SMNT

  • STAT

  • STOR

  • STOU

  • STRU

  • SYST

  • TYPE

  • USER

  • XCUP

  • XMKD

  • XPWD

  • XRMD

To create an FTP command restriction rule
tooltip icon

If FTP security isn't enabled in Feature Visibility, you must enable it before you can create an FTP command restriction rule. To enable FTP security, go to System > Config > Feature Visibility and enable FTP Security.

  1. Go to FTP Security > FTP Command Restriction.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  3. Click Create New.
  4. Configure these settings:
  5. Name

    Enter a unique name that can be referenced in other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.

    Action

    Select which action FortiWeb will take when it detects a violation of the rule:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

    The default value is Alert & Deny.

    Note: This setting will be ignored if Monitor Mode is enabled in a server policy.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

    Block Period

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the rule. The valid range is 1–3,600 seconds (1 hour). See also Monitoring currently blocked IPs.

    This setting is available only if Action is set to Period Block.

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is Medium.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.

  6. From the list of Available Commands, Select the FTP command(s) that you want to include in the rule. Use the arrows to move the command(s) to the list of Enabled Commands.
  7. Note: You can select multiple FTP commands by holding SHIFT or ALT when clicking commands.

  8. Click OK.