FTP Inspection
hostname(config)# policy-map type inspect esmtp advanced_esmtp_map
hostname(config-pmap)# match sender-address regex class senders_black_list
hostname(config-pmap-c)# drop-connection log
hostname(config)# policy-map outside_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect esmtp advanced_esmtp_map
hostname(config)# service-policy outside_policy interface outside
FTP Inspection
This section describes the FTP inspection engine. This section includes the following topics:
•
•
•
•
FTP Inspection Overview
The FTP application inspection inspects the FTP sessions and performs four tasks:
•
•
•
•
FTP application inspection prepares secondary channels for FTP data transfer. Ports for these channels
are negotiated through PORT or PASV commands. The channels are allocated in response to a file
upload, a file download, or a directory listing event.
If you disable FTP inspection engines with the no inspect ftp command, outbound users can start
Note
connections only in passive mode, and all inbound FTP is disabled.
Using the strict Option
Using the strict option with the inspect ftp command increases the security of protected networks by
preventing web browsers from sending embedded commands in FTP requests.
Note
To specify FTP commands that are not permitted to pass through the security appliance, create an FTP
map according to the
section on page
After you enable the strict option on an interface, FTP inspection enforces the following behavior:
Cisco Security Appliance Command Line Configuration Guide
25-26
FTP Inspection Overview, page 25-26
Using the strict Option, page 25-26
Configuring an FTP Inspection Policy Map for Additional Inspection Control, page 25-27
Verifying and Monitoring FTP Inspection, page 25-31
Prepares dynamic secondary data connection
Tracks the FTP command-response sequence
Generates an audit trail
Translates the embedded IP address
"Configuring an FTP Inspection Policy Map for Additional Inspection Control"
25-27.
Chapter 25
Configuring Application Layer Protocol Inspection
OL-12172-03