By default, the Zscaler service does not allow users from a location to upload or download files from FTP sites. You can configure the FTP Control policy to allow access to specific sites. Zscaler Nodes can be used to download/upload files to any FTP server on Internet. Users from known locations can connect to FTP sites through Zscaler.
Note the following:
· The FTP policy applies to traffic from the known locations of an organization.
· The service supports FTP over HTTP. The anti-virus engine will scan the content for viruses and spyware. These connections are also subject to rules created under the URL Filtering Policy in the admin portal.
· The service supports passive FTP only. If the destination server does not support passive FTP, the service generates an alert message to this effect in the end user's browser.
· If a road warrior uses a dedicated port, then the service supports FTP over HTTP for road warriors. So when a road warrior’s browser connects to FTP sites and downloads files, the anti-virus engine of the service will be able to scan the content for viruses and spyware.
· The service does not support AV scanning for native FTP traffic.
· URL Filtering Policy rules take precedence over the FTP Control policy. For example, if you have a URL Filtering Policy rule that blocks access to Adult Material, the Zscaler service will block users who try to transfer files from ftp://ftp.playboy.com/
· User-, department-, or group-level URL filtering rules blocking access to specific sites will not be enforced for FTP sites because FTP does not support cookies. Only rules applied to all users will be enforced. For example, if you have a catch-all URL Filtering rule that blocks access to Adult Material, anybody trying to ftp to ftp://ftp.playboy.com/ will get blocked.
Configuration and Use cases:
Under Policy FTP Control, you will find FTP over HTTP and Native FTP Control. It is global settings and user based policy cannot be applied to FTP connections.
Enabling FTP over HTTP allows users to connect to FTP sites using browser like IE or Firefox (Manual proxy or PAC configured). URL Policy will be scanned to allow/deny access to FTP. For instance, user is trying to access ftp://tickets.zscaler.comwhich is categorized in Professional services. Professional services category should be configured in URL policy to allowed for the Location where user is trying to connect to FTP site.
Enabling Native FTP control allows users to use FTP clients like FileZilla FTP client with proxy setting to connect to FTP sites. You can configure URL categories in this section to allow FTP connections.
Following is an example for each type of FTP control:
Case 1
ftp://tickets.zscaler.com/should be allowed and rest all ftp sites should be blocked
FTP works for a Known Location users only
UI > Policy > Web > FTP Control > Enable - FTP over HTTP, then create Rule as follows
This looks for URL policies: where who is set to ALL, since I have Rule #3 block ALLand Rule # 2 to allow FTP - ftp://ftp-it.denner.ch
Note # 1: If I don’t have rule #3? All FTP sites would be allowed
Note # 2: if I have rule #3 and WHO is set to some user or group? All FTP sites would be allowed
Create rule in UI > Policy > Web > URL & Cloud App Control accordingly.
Case 2
How to block and allow Client connections
Eg: Using FileZilla Client - connection to ftp://ftp.ptcinfo.org/
Make them go through the proxy; Settings :
![]()
ftp://ftp.ptcinfo.org/ would not connect – image below
Create URL Custom Category and add URL ftp.ptcinfo.org. Select the category or the URL ftp.ptcinfo.org at UI > Policy > Web > FTP Control > Native FTP Control.
Now the Connection is successful
Note 1: FTP controls are global configuration; there are no dedicated policies for FTP traffic to control based on source.