FTP Commands tab

Proxy

Main commands

Command Name of the command.
Action 3 authorizations possible from “Pass without scanning”, “Allow” and “Block”.
Command type Indicates the type of command. “Writing” FTP commands defined in the RFCs can cause changes in the server, such as the deletion of data or even the creation of folders. sThese commands operate in the same way as for “generic” commands – you can allow or prohibit a command or check that the command syntax complies with the RFC in force.

Other commands allowed

Where necessary, users can Add or Delete additional commands up to a limit of 21 characters.

IPS

Allowed FTP commands

FTP commands, limited to 115 characters, can be defined in the intrusion prevention module, by clicking on Add. They are limited to 115 characters and can be deleted when needed.

Prohibited FTP commands

FTP commands, limited to 115 characters, can be prohibited in the intrusion prevention module.

List of generic FTP commands and details of filtering

  • ABOR: Command that interrupts the transfer in progress. This command does not accept arguments. By default, it will be analyzed to check RFC compliance.
  • ACCT: Command that specifies the account to be used for connecting. This command accepts only a single argument. By default, it will be analyzed to check RFC compliance.
  • ADAT: Command that sends security data for authentication. This command accepts only a single argument. By default, it will be analyzed to check RFC compliance.
  • AUTH: Command that selects the security mechanism for authentication. This command accepts only a single argument. By default, it will be analyzed to check RFC compliance.
  • CCC: Command that allows unprotected messages.
  • CDUP: Command that modifies the parent working folder. This command does not accept arguments. . By default, it will be analyzed to check RFC compliance.
  • CONF: Command that specifies the “confidential” message used for authentication.
  • CWD: This command modifies the working folder. This command accepts one or several arguments. By default, it will be analyzed to check RFC compliance.
  • ENC: This command specifies the “private” message used for authentication. This command accepts only a single argument. By default, it will be analyzed to check RFC compliance.
  • EPRT: This command enables the extended active transfer mode. This command accepts only a single argument. By default, it will be analyzed to check RFC compliance.
  • EPSV: This command selects the extended passive transfer mode. This command has to be executed with at most one argument. This command is blocked by default.
  • FEAT: This command displays the extensions supported by the server and does not accept arguments. The result of this command is filtered by the proxy if filtering has been requested on the FEAT command.
  • HELP: This command returns the details for a given command. This command has to be executed with at most one argument. By default, it will be analyzed to check RFC compliance.
  • LIST: This command lists the contents of a data location in a friendly way.
  • MDTM: This command displays the date of the last modification for a given file. This command accepts one or several arguments. By default, it will be analyzed to check RFC compliance.
  • MIC: This command specifies the “safe” message used for authentication. This command accepts only a single argument. By default, it will be analyzed to check RFC compliance.
  • MLSD: This command displays the contents of the normalized folder. By default, it will be analyzed to check RFC compliance.
  • MLST: This command displays the information of the normalized folder. By default, it will be analyzed to check RFC compliance.
  • MODE: This command specifies the transfer mode. By default, it will be analyzed to check RFC compliance. This command is the object of a greater filter and is only allowed with the arguments S, B, C and Z. If the antivirus analysis has been enabled, only argument S will be allowed.
  • NLST: This command lists the contents of a data location of the computer in a friendly way. By default, it will be analyzed to check RFC compliance.
  • NOOP: This command does not do anything and does not accept arguments. By default, it will be analyzed to check RFC compliance.
  • OPTS: This command specifies the status options for the given command. This command accepts one or several arguments. By default, it will be analyzed to check RFC compliance.
  • PASS: This command specifies the password used for the connection. This command accepts only a single argument. By default, it will be analyzed to check RFC compliance.
  • PASV: This command selects the passive transfer mode. This command does not accept arguments. By default, it will be analyzed to check RFC compliance.
  • PBSZ: This command specifies the size of encoded blocks. This command accepts only a single argument. By default, it will be analyzed to check RFC compliance.
  • PORT: This command selects the active transfer mode. This command accepts only a single argument. By default, it will be analyzed to check RFC compliance.
  • PROT: This command specifies the level of protection. By default, it will be analyzed to check RFC compliance. This command is the object of a greater filter and is allowed only with the arguments C, S E and P.
  • PWD: This command displays the current working folder. This command does not accept arguments. By default, it will be analyzed to check RFC compliance.
  • QUIT: This command terminates the session in progress and the connection. By default, it will be analyzed to check RFC compliance.
  • REIN: This command ends the session in progress (initialized with the user). By default, it will be analyzed to check RFC compliance.
  • REST: This command specifies the offset that the transfer has to catch up with. By default, it will be analyzed to check RFC compliance. This command is the object of a greater filter and is prohibited if the antivirus scan is running. Otherwise, the proxy will check that a single argument is present.
  • RETR: This command retrieves a given file. This command accepts one or several arguments. By default, a scan will be performed to check RFC compliance
  • SITE: This command executes a command specific to the server. This command accepts only a single argument. By default, it will be analyzed to check RFC compliance.
  • SIZE: This command displays the transfer size for a given file. This command accepts one or several arguments. By default, it will be analyzed to check RFC compliance.
  • SMNT: This command modifies the data structure of the system in progress. This command accepts one or several arguments. By default, it will be analyzed to check RFC compliance.
  • STAT: This command displays the current status. By default, it will be analyzed to check RFC compliance.
  • STRU: This command specifies the structure of transferred data. By default, it will be analyzed to check RFC compliance. This command is the object of a greater filter and is allowed only with the arguments  F, R and P.  If the antivirus scan has been enabled, only the argument F will be allowed.
  • SYST: This command displays the information about the server’s operating system. This command does not accept arguments. By default, it will be analyzed to check RFC compliance.
  • TYPE: This command specifies the type of data transferred. By default, it will be analyzed to check RFC compliance. This command is the object of a greater filter and is allowed only with the arguments ASCII, EBCDIC, IMAGE, I, A, E and L. If the antivirus scan has been enabled, only the arguments ASCII, IMAGE, I and A will be allowed. The option L may be followed by a digital argument. The option L may be followed by a digital argument. The options E, A, EBCDIC and ASCII accept the following arguments: N, C and T.
  • USER: This command specifies the name of the user for connecting.
  • XCUP: This command modifies the parent working folder. This command does not accept arguments. By default, it will be analyzed to check RFC compliance.
  • XCWD: This command modifies the working folder. This command accepts one or several arguments. By default, it will be analyzed to check RFC compliance.
  • XPWD: This command displays the current working folder. This command does not accept arguments. By default, it will be analyzed to check RFC compliance.

List of FTP modification commands and details of filtering

  • ALLO: This command allocates the storage space on this server and accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • APPE: This command adds (or creates) to the data location. This command is the object of a greater filter Indeed, this command is prohibited if the antivirus scan has been enabled (risk of bypass). Otherwise, the presence of at least one argument will be checked for.
  • DELE: This command deletes a given file and accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • MKD: This command creates a new folder and accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • RMD: This command deletes the given folder and accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • RNFR: This command selects a file that has to be renamed and accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • RNTO: This command specifies the new name of the selected file and accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • STOR: This command stores a given file and accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • STOU: This command stores a given file with a unique name. This command does not accept arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • XMKD: This command creates a new folder and accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • XRMD: This command deletes the given folder and accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.