FTP is a legacy file transfer protocol that uses separate control and data channels. While modern web and API traffic is protected by tokens, TLS, session policy and WAAP controls, FTP in most organizations still operates at the level of "open port, check username and password." EDI workflows, batch transfers, partner file exchange, mainframe bridges and legacy document systems therefore run outside security visibility.
Traditional network security offers two weak options for FTP. Either port 21 is opened and no one can see which commands pass through, or FTP is removed entirely and a months-long integration project begins. Many legacy systems cannot absorb that transition quickly.
Using FTPS alone is not enough either. Traffic may be encrypted, but the questions remain: which user is running which command, which file is being retrieved or sent, which backend is being accessed, is the data connection coming from the right source, and how long has the session been open.
The protocol design of FTP creates a specific attack surface. The PORT command can direct data connections to third-party addresses, FXP-style server-to-server transfers can be abused, and weak anonymous or shared accounts can remain open for extended periods. These risks are difficult to observe at the network layer; application-level FTP session awareness is required.
The TR7 WAAP FTP security proxy layer operates classic FTP services — without removing them — under command whitelisting, per-user policy, bounce/FXP mitigation, session control and forensic audit.
TR7 WAAP treats FTP not as a port-opening decision but as an application session that is authorized per user and audited command by command.
FTP commands such as RETR, STOR, DELE, MKD, RMD, LIST, NLST, RNFR, RNTO, SIZE and MDTM are placed on an individual allow/deny list. Unknown commands or commands absent from the policy are rejected by default.
The FTP username can be used as a policy key. Different users connecting through the same VIP can operate with different command sets, different timeouts and different backend pools.
The source of the data connection is correlated with the control connection. PORT attempts directed at third-party addresses or server-to-server transfer behavior are blocked by default; exceptions are defined by an explicit policy decision.
Every session, command and file transfer is written to the audit log. Monitor mode surfaces the full file path; filecopy mode can store a timestamped copy of each transferred file.
The FTP Security Proxy brings the command, user, data channel, session and audit weaknesses of the classic FTP protocol under the WAAP policy model.
TR7 manages standard FTP commands as allow/deny decisions at the policy level. In a read-only role, commands such as RETR, LIST, NLST, SIZE, MDTM and STAT remain open while STOR, DELE, RMD or RNTO can be denied. In an upload role, only STOR and the necessary directory commands are permitted. This ensures that "has FTP access" does not translate into unlimited file permissions.
The username is read at the login stage and fed into the WAAP policy engine. Two users connecting to the same VIP can operate with different command sets, different session durations, different audit depth and different backend pools. This architecture consolidates partner-, department- or tenant-based file transfers at a single entry point. Operations teams define security boundaries per user.
One user can be directed to a specific backend pool while another is routed to a different pool. The client-side `user@server` selection pattern can be used, or TR7 can resolve the user to the appropriate backend through a central table. This eliminates the need to open many separate VIPs for B2B partner FTP, department sharing or tenant separation. Controlled routing happens under a single entry point.
Active and passive FTP modes behave differently with respect to the data connection. TR7 correlates PORT and PASV flows with the session to ensure the data channel is established correctly. The passive port range can be restricted by policy; the source IP toward the backend can be pinned. This reduces transfer failures for FTP services behind NAT and firewalls.
In FTP bounce attacks the PORT command attempts to direct data connections to a third target. TR7 can reject this behavior by matching the data connection against the real endpoint of the control connection. Server-to-server transfer behavior similar to FXP can be kept off by default. Required exceptions are defined explicitly; a security gap is never the default behavior.
FTP sessions can be evaluated by source IP, country, ASN, time window or user information. Connections from outside specific partner countries or corporate IP ranges can be rejected. This brings the access-control approach used on the web and API side to FTP as well. Legacy file transfer flows are bound to modern access policy.
FTP sessions can stay open for long periods and consume sockets on the backend. TR7 can manage limits such as login timeout, idle timeout and total session duration at the policy level. A default session duration of 900 seconds can be used as a baseline and adjusted as needed. Idle sessions are closed without keeping the backend waiting.
FTP clients can change directories with CWD and then issue relative file commands. Monitor mode tracks the working directory within the session and logs commands such as `RETR file.csv` with their full file path. The audit record therefore shows not just the command but the actual file location. Post-incident investigation clarifies exactly which file was retrieved or sent.
For compliance or forensic needs, a copy of each transferred file can be written to a separate storage area. Files can be kept in a date-based directory structure and correlated with the audit log. This means the question "which file was sent?" can be answered not only with a log entry but with the file itself. Audit evidence is strengthened in regulated sectors.
When FTPS is in use the control channel is encrypted, but commands must be understood to apply security policy. The TR7 WAAP FTP security proxy layer terminates the FTPS session at the security layer and can inspect the commands. Under AUTH TLS, forwarding to the backend can be re-encrypted or adapted to the internal network model. Certificate and TLS policy align with the central management pool.
The FTP Security Proxy is operated together with command processing, data connection lifecycle, HA behavior, audit streaming, resource limits and compliance retention policies.
Every FTP command is received from the control channel, parsed, evaluated against the ValidCommands list and the user policy. A permitted command is forwarded to the backend. A rejected command returns a protocol-compliant error response (502 or 550); the client remains protocol-compliant.
When a PORT or PASV command is seen, TR7 associates the data connection with the session. Separate data connections exist between client and TR7, and between TR7 and the backend. This structure makes it possible to close the session in a controlled way if a policy violation is detected during a transfer.
New FTP sessions open on the active node with the same policy. Ongoing large data transfers may be interrupted at a failover event due to the nature of the protocol; if the client supports resume, the transfer can be restarted or continued. Critical transfers should therefore be tested for client behavior before production deployment.
Separate logs can be produced at the session, command and transfer level. Logs can be sent to the SIEM stream in a structured format. Monitor mode appends the full file path to the log line; filecopy mode appends the location of the stored file copy.
Concurrent session count, sessions per user, sessions per IP, file size and transfer rate can all be restricted by policy. This prevents a single user or a misbehaving batch job from exhausting FTP infrastructure. Bandwidth and timeout should be planned together for large file transfers.
The full path, timestamp, user information and, if required, a file copy of every transferred file can be retained. Retention duration is set according to the organization's compliance policy. During an audit, FTP traffic is no longer a dark area.
A financial institution or government agency may exchange EDI files with partners over FTP. TR7 routes each partner behind a single VIP to its own backend pool, opens only the permitted commands and places every transfer under audit.
If a legacy document platform supports only FTP upload, TR7 can be placed in front without touching the system. Policy opens only STOR and the necessary directory commands while rejecting delete and rename commands.
In integrations that retrieve files from a mainframe system, the user can be limited to read-only commands such as RETR, LIST and SIZE. STOR, DELE, RNFR, RNTO, MKD and RMD are rejected, reducing the risk of data modification.
When a healthcare or research team sends datasets to external partners, every transfer can be retained with filecopy. File size limits, per-user policy and SIEM log streaming make the sharing process auditable end to end.
Command whitelisting, per-user policy, bounce/FXP protection and forensic audit. Let us walk you through a live setup on your own FTP infrastructure.