You are unable to restrict the FTP Agent data flow ports to a specific port or range for firewall compliance․

SYMPTOMS:

• FTP Agent uses TCP 21, 22, etc. for the Control port on the remote FTP endpoint server.
• FTP Agent uses random ephemeral high ports for the Data port on the source FTP Agent server.
• Security teams are unable to isolate the system using specific firewall rules for known processes.

This occurs when trying to enforce strict network isolation and firewall rules for Automic processes.

The Automic FTP Agent does not currently offer an application-level parameter to restrict or define a specific range for data flow ports. The agent relies on the host Operating System's dynamic pool to assign available ephemeral high ports for standard FTP data transfers.

The Automic FTP Agent does not currently offer an application-level parameter to restrict or define a specific range for data flow ports. If this functionality is required for your business operations, please submit an Enhancement Request to Product Management for future consideration.

Industry Alternatives for Consideration

When dealing with strict network isolation requirements, artificially restricting standard FTP data ports can introduce new risks, such as application-level port exhaustion and job failures during concurrent transfers. To achieve network security without creating these bottlenecks, organizations often consider the following practices:

• Consider Migrating to SFTP (SSH File Transfer Protocol): Standard FTP relies on a dual-channel design (separate control and data ports), which is inherently difficult to secure using static firewall rules alone. SFTP resolves this by securely tunneling all commands and data over a single, predictable port (typically TCP 22). This provides a modern, firewall-friendly architecture without the complexity of managing ephemeral port pools.
  
  Note: The Automic FTP Agent natively supports SFTP transfers, providing a modern, firewall-friendly architecture without the complexity of managing ephemeral port pools.

• Consider Firewall Application Layer Gateways (ALG): Many modern firewalls utilize Stateful Packet Inspection and FTP ALGs. An ALG actively monitors the standard FTP control channel (Port 21). When the Agent and server negotiate a random high port for a data transfer, the firewall dynamically opens that specific port and closes it the exact moment the transfer completes. This offers strict, dynamic network isolation without the need to hardcode specific data port ranges in the application. 
  
  Disclaimer:
  This information is provided solely to raise awareness of possible infrastructure-level solutions. Broadcom does not endorse or officially support specific third-party ALG configurations. While ALG activity is generally invisible to the FTP Agent, thorough testing should be performed by your network team to confirm compatibility in your specific environment
  
  

Note on OS-Level Limitations: While it is technically possible to restrict the ephemeral port range at the Operating System level, this is a global setting that impacts all processes on the host machine. It is generally not recommended as a standard workaround due to the high risk of system-wide connection failures.

Example