How stateful FTP inspection works

Firewall can perform stateful inspection for the FTP protocol.

FTP involves two connections:

  • Control for commands
  • Data for the information

When a client connects to an FTP server, the control channel is established on FTP destination Port 21, and an entry is made in the state table. If the option for FTP inspection was set with the Firewall Options policy, when the firewall encounters a connection opened on Port 21, it knows to perform stateful packet inspection on the packets coming through the FTP control channel.

Firewall monitors the PORT, EPRT, PASV, and EPSV commands on the control channel, and determines which dynamic rules must be created for subsequent FTP data connections.

The combination of the control connection and one or more data connections is called a session. When the data transfer is complete, the dynamic rules created for data transfer are removed.

When the control connection is terminated, Firewall makes sure that all corresponding data connections are also removed.