How to Block FTP Upload but Allow FTP Download
46511
Created On 09/25/18 19:38 PM - Last Modified 06/08/23 07:08 AM
Resolution
Overview
Some environments require FTP download access to keep systems up to date, while blocking FTP upload to prevent files from leaving the network. This cannot be done using an application-based security policy, because traffic is allowed in both directions once the session is established between an FTP client and server. However, blocking FTP uploads while allowing FTP downloads can be accomplished using a File Blocking Profile.
Steps
The following procedure describes how to configure a File Blocking Profile on a Palo Alto Networks firewall to block FTP uploads but allow FTP downloads:
- Under Objects > Security Profiles > File Blocking, create a profile using the following parameters:
- Application = ftp
- File type = any
- Direction = Upload
- Action = Block
- After completing the File Blocking Profile, apply it to the security policy you expect clients to hit for outbound connections.
- Go to the Policies > Security page and select the policy. The File Blocking selection is in the Profile Setting section under Actions.
owner: jteetsel