Different methods can be employed for FTP clients to communicate to FTP servers, with the aim of bypassing traditional corporate firewalls. These methods include Proxying Native FTPs, FTP over HTTP, or FTP over HTTP Tunneling.

EdgeSWG (ProxySG) 

By default, EdgeSWG (ProxySG) blocks the proxying of Native FTPs, FTP over HTTP, and FTP over HTTP Tunneling. However, inadvertent changes in proxy services and/or years of unaudited policy modifications may have allowed EdgeSWG to proxy FTP.

• To prevent FTP clients to use Native FTP, FTP over HTTP, and FTP over HTTP Tunneling, apply a policy that blocks "All FTP" .  

Sample of VPM policy rule:

Note: Policy above is likely needed if the default proxy policy  has been changed from Deny  to Allow.  Default proxy policy can be found under SG Admin Console > Configuration > Policy > Policy Options.  

• Unless there is a business need and/or other security in place in the network, it is highly suggested to keep the FTP service setting to default bypass.  This can be verified by navigating the  SG Admin Console > Configuration > Services > Proxy Services then  look for  FTP service (sample screenshot below).