Commands FTP tab

Proxy

Main commands

Modify write commands button: This button allows you to Pass without scanning, Block or Scan the syntax and check that the command complies with the RFCs in force, for write commands.

Modify all commands button: This button allows you to Pass without scanning, Block or Scan the syntax and check that the command complies with the RFCs in force, for generic commands as well as modification commands.

Command Name of the command.
Action 3 authorizations possible from “Pass without scanning”, “Scan” and “Block”.
Command type Indicates the type of command. “Writing” FTP commands defined in the RFCs can cause changes in the server, such as the deletion of data or even the creation of folders. These commands operate in the same way as for “generic” commands – you can authorize or prohibit a command or check that the command syntax complies with the RFC in force.

Other commands allowed

Additional commands, limited to 21 characters, can be added and deleted when necessary.

IPS

Authorized FTP commands

RTCP commands can be defined in the intrusion prevention module, by clicking on Add. They are limited to 115 characters and can be deleted when needed.

Prohibited FTP commands

FTP commands, limited to 115 characters, can be prohibited in the intrusion prevention module.

List of generic FTP commands and details of filtering

  • ABOR: Command that interrupts the transfer in progress. This command does not accept arguments. By default, a scan will be performed to check RFC compliance.
  • ACCT: Command that specifies the account to be used for connecting. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • ADAT: Command that sends security data for authentication. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • AUTH: Command that selects the security mechanism for authentication. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • CCC: Command that allows unprotected messages.
  • CDUP: Command that modifies the parent working folder. This command does not accept arguments . By default, a scan will be performed to check RFC compliance.
  • CONF: Command that specifies the “confidential” message used for authentication.
  • CWD: This command modifies the working folder. This command accepts one or several arguments. By default, a scan will be performed to check RFC compliance.
  • ENC: This command specifies the “private” message used for authentication. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • EPRT: This command enables the extended active transfer mode. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • EPSV: This command selects the extended passive transfer mode. This command has to be executed with at most one argument. This command is blocked by default.
  • FEAT: This command displays the extensions supported by the server.  It does not accept arguments. The result of this command is filtered by the proxy if filtering has been requested on the FEAT command.
  • HELP: This command returns the details for a given command. This command has to be executed with at most one argument. By default, a scan will be performed to check RFC compliance.
  • LIST: This command lists the contents of a data location in a friendly way.
  • MDTM: This command displays the date of the last modification for a given file. This command accepts one or several arguments. By default, a scan will be performed to check RFC compliance.
  • MIC: This command specifies the “safe” message used for authentication. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • MLSD: This command displays the contents of the normalized folder. By default, a scan will be performed to check RFC compliance.
  • MLST: This command displays the information of the normalized folder. By default, a scan will be performed to check RFC compliance.
  • MODE: This command specifies the transfer mode. By default, a scan will be performed to check RFC compliance. This command is the object of a greater filter. It is only allowed with the arguments S, B, C and Z. If the antivirus analysis has been enabled, only argument S will be allowed.
  • NLST: This command lists the contents of a data location of the computer in a friendly way. By default, a scan will be performed to check RFC compliance.
  • NOOP: This command does not do anything. It does not accept arguments. By default, a scan will be performed to check RFC compliance.
  • OPTS: This command specifies the status options for the given command. This command accepts one or several arguments. By default, a scan will be performed to check RFC compliance.
  • PASS: This command specifies the password used for the connection. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • PASV: This command selects the passive transfer mode. This command does not accept arguments. By default, a scan will be performed to check RFC compliance.
  • PBSZ: This command specifies the size of encoded blocks. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • PORT: This command selects the active transfer mode. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • PROT: This command specifies the level of protection. By default, a scan will be performed to check RFC compliance. This command is the object of a greater filter. It is allowed only with the arguments C, S E and P.
  • PWD: This command displays the current working folder. This command does not accept arguments. By default, a scan will be performed to check RFC compliance.
  • QUIT: This command terminates the session in progress and the connection. By default, a scan will be performed to check RFC compliance.
  • REIN: This command terminates the session in progress (initialized with the user). By default, a scan will be performed to check RFC compliance.
  • REST: This command specifies the offset with which the transfer has to catch up. By default, a scan will be performed to check RFC compliance. This command is the object of a greater filter. It is prohibited if the antivirus scan is running. Otherwise, the proxy will check that a single argument is present.
  • RETR: This command retrieves a given file. This command accepts one or several arguments. By default, a scan will be performed to check RFC compliance
  • SITE: This command executes a command specific to the server. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • SIZE: This command displays the transfer size for a given file. This command accepts one or several arguments. By default, a scan will be performed to check RFC compliance.
  • SMNT: This command modifies the data structure of the system in progress. This command accepts one or several arguments. By default, a scan will be performed to check RFC compliance.
  • STAT: This command displays the current status. By default, a scan will be performed to check RFC compliance.
  • STRU: This command specifies the structure of transferred data. By default, a scan will be performed to check RFC compliance. This command is the object of a greater filter. It is allowed only with the arguments  F, R and P.  If the antivirus scan has been enabled, only the argument F will be allowed.
  • SYST: This command displays the information about the server’s operating system. This command does not accept arguments. By default, a scan will be performed to check RFC compliance.
  • TYPE: This command specifies the type of data transferred. By default, a scan will be performed to check RFC compliance. This command is the object of a greater filter. It is allowed only with the arguments ASCII, EBCDIC, IMAGE, I, A, E and L. If the antivirus scan has been enabled, only the arguments ASCII, IMAGE, I and A will be allowed. The option L may be followed by a digital argument. The option L may be followed by a digital argument. The options E, A, EBCDIC and ASCII accept the following arguments: N, C and T.
  • USER: This command specifies the name of the user for connecting.
  • XCUP: This command modifies the parent working folder. This command does not accept arguments. By default, a scan will be performed to check RFC compliance.
  • XCWD: This command modifies the working folder. This command accepts one or several arguments. By default, a scan will be performed to check RFC compliance.
  • XPWD: This command displays the current working folder. This command does not accept arguments. By default, a scan will be performed to check RFC compliance.

List of FTP modification commands and details of filtering

  • ALLO: This command allocates the storage space on this server. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • APPE: This command adds (or creates) to the data location. This command is the object of a greater filter. Indeed, this command is prohibited if the antivirus scan has been enabled (risk of bypass). Otherwise, the presence of at least one argument will be checked for.
  • DELE: This command deletes a given file. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • MKD: This command creates a new folder. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • RMD: This command deletes the given folder. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • RNFR: This command selects a file that has to be renamed. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • RNTO: This command specifies the new name of the selected file. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • STOR: This command stores a given file. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • STOU: This command stores a given file with a unique name. This command does not accept arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • XMKD: This command creates a new folder. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • XRMD: This command deletes the given folder. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.