By default, the Zscaler service does not allow users from a location to upload or download files from FTP sites. You can configure the FTP Control policy to allow access to specific sites.
Note the following:
- The FTP Control policy applies to traffic from the known locations of an organization.
- The service supports FTP over HTTP. The anti-virus engine will scan the content for viruses and spyware. These connections are also subject to rules created under the URL Filtering Policy in the admin portal.
- The service supports passive FTP only. If the destination server does not support passive FTP, the service generates an alert message to this effect in the end user's browser.
- If a road warrior uses a dedicated port, then the service supports FTP over HTTP for road warriors. So when a road warrior’s browser connects to FTP sites and downloads files, the anti-virus engine of the service will be able to scan the content for viruses and spyware.
- The service does not support AV scanning for native FTP traffic.
- URL Filtering Policy rules take precedence over the FTP Control policy. For example, if you have a URL Filtering Policy rule that blocks access to Adult Material, the Zscaler service will block users who try to transfer files from ftp://ftp.playboy.com/
- User-, department-, or group-level URL filtering rules blocking access to specific sites will not be enforced for FTP sites because FTP does not support cookies. Only rules applied to all users will be enforced. For example, if you have a catch-all URL Filtering rule that blocks access to Adult Material, anybody trying to ftp to ftp://ftp.playboy.com/ will get blocked.
To see the FTP Control policy Zscaler recommends, see What is the recommended FTP Control policy?
Click Recommended Policy to view the policy Zscaler recommends.
To configure the FTP Control policy, follow the instructions below.
- Go to Policy > Firewall > FTP Control.
- Complete the following:
- Allow FTP over HTTP: By default, the Zscaler service does not allow users from a location to upload or download files from FTP sites. Select this to enable browsers to connect to FTP sites and download files. If a road warrior uses a dedicated port, then the service supports FTP over HTTP for road warriors.
- Allow Any URL Category:You can configure the FTP Control policy to allow access to specific sites. The policy applies to traffic from the known locations of an organization. Select this to allow FTP traffic for all URL categories.
- Allowed URL Categories: You can select URL super-categories and/or categories. You can select any number of categories. You can search for categories or add a custom category by clicking the Add icon.
- Allowed URLs: You can type in the URLs for which FTP traffic will be allowed.
- Click Save and activate the change.
To see how policy fits into the overall order of policy enforcement, see How does the Zscaler service enforce policies?