hit counter script

Ftp Inspection; Ftp Inspection Overview; Using The Strict Option - Cisco 7604 Configuration Manual

Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs Also See for 7604:
Table of Contents

Advertisement

FTP Inspection

FTP Inspection
This section describes how the FTP inspection engine works and how you can change its configuration.
This section includes the following topics:

FTP Inspection Overview

The FTP application inspection inspects the FTP sessions and performs four tasks:
FTP application inspection prepares secondary channels for FTP data transfer. Ports for these channels
are negotiated through PORT or PASV commands. The channels are allocated in response to a file
upload, a file download, or a directory listing event.
If you disable FTP inspection engines with the no inspect ftp command, outbound users can start
Note
connections only in passive mode, and all inbound FTP is disabled.

Using the strict Option

Using the strict option with the inspect ftp command increases the security of protected networks by
preventing web browsers from sending embedded commands in FTP requests.
Tip
To specify FTP commands that are not permitted to pass through the FWSM, create an FTP map and
enter the request-command deny command in FTP map configuration mode.
After you enable the strict option on an interface, FTP inspection enforces the following behavior:
Using the strict option may cause the failure of FTP clients that are not strictly compliant with FTP
Caution
RFCs.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-30
FTP Inspection Overview, page 22-30
Using the strict Option, page 22-30
The request-command deny Command, page 22-31
Configuring FTP Inspection, page 22-32
Verifying and Monitoring FTP Inspection, page 22-34
Prepares dynamic secondary data connection
Tracks ftp command-response sequence
Generates an audit trail
NATs embedded IP address
An FTP command must be acknowledged before the FWSM allows a new command.
The FWSM drops connections that send embedded commands.
The 227 and PORT commands are checked to ensure they do not appear in an error string.
Chapter 22
Applying Application Layer Protocol Inspection
OL-20748-01

Hide quick links:

Advertisement

Table of Contents
loading

This manual is also suitable for:

7609-s76137606-sCatalyst 6500 series7600 series

Table of Contents