About the FTP Control Policy
By default, the Zscaler service does not allow users from a location to upload or download files from FTP sites. You can configure the FTP Control policy to allow access to specific sites. Zscaler has a recommended policy for FTP Control.
Note the following:
- The FTP policy applies to traffic from the known locations of an organization.
- The service supports FTP over HTTP. The anti-virus engine will scan the content for viruses and spyware. These connections are also subject to rules created under the URL Filtering Policy in the admin portal.
- The service supports passive FTP only. If the destination server does not support passive FTP, the service generates an alert message to this effect in the end user's browser.
- If a road warrior uses a dedicated port, then the service supports FTP over HTTP for road warriors. So when a road warrior’s browser connects to FTP sites and downloads files, the anti-virus engine of the service will be able to scan the content for viruses and spyware.
- The service does not support AV scanning for native FTP traffic.
- URL Filtering Policy rules take precedence over the FTP Control policy. For example, if you have a URL Filtering Policy rule that blocks access to Adult Material, the Zscaler service will block users who try to transfer files from ftp://ftp.playboy.com/
- User-, department-, or group-level URL filtering rules blocking access to specific sites will not be enforced for FTP sites because FTP does not support cookies. Only rules applied to all users will be enforced. For example, if you have a catch-all URL Filtering rule that blocks access to Adult Material, anybody trying to ftp to ftp://ftp.playboy.com/ will get blocked.
For information on the order in which the service enforces all policies, including this policy, see How does the Zscaler service enforce policies?