Proxy tab

Filter the welcome banner sent by the FTP server	If this option is selected, the server’s banner will no longer be sent during an FTP connection.
Block FTP bounce	Allows the prevention of IP address spoofing. By executing the PORT command and by specifying an internal IP address, an external host may access confidential data by exploiting vulnerabilities in an FTP server or a host that is vulnerable to bounces.

Connection

Keep original source IP address

When a request is made by a web client (browser) to the server, the firewall will intercept it and check that the request complies with URL filter rules and then relays the request. If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used.

Allowed transfer modes

Between the client and the proxy

When the FTP client sends a request to the server, the proxy will first intercept the request in order to analyze it. From the FTP “client”’s point of view, the proxy corresponds to the server. This option defines the allowed transfer mode. If Active only is specified, the FTP client will determine the connection port to use for transferring data. The FTP server will then initialize the connection from its data port (port 20) to the port specified by the client. If Passive only is specified, the FTP server will determine the connection port to use for transferring data (data connection) and will transmit it to the client. If Active and passive is specified, the FTP client will be able to choose between both transfer modes when configuring the firewall.

Between the proxy and the server

When the proxy has finished scanning the client request, it will transfer it to the FTP server, which will then interpret the proxy as the FTP client. Since the proxy has an intermediary role, it is transparent. The allowed transfer modes are the same as for the previous option.