Configure Advanced Protocol Inspection
FTP deep packet inspection

The existing FTP inspection allows traffic by default and restricts traffic that fails security checks. FTP deep packet inspection will enable the administrator to block specific FTP request commands through the PIX Security Appliance, such as renaming a file. When a FTP request command is filtered, the connection is closed. The administrator can define which FTP commands should be blocked with the ftp-map command. The FTP commands that can be blocked are shown in Figure .

FTP Deep Packet Inspection Configuration
Use the following four steps to filter FTP commands.

Step 1 Define which FTP commands to filter in the ftp-map command.
Step 2 Identify a traffic flow in the class-map command.
Step 3 Configure a policy which associates the FTP commands to be filtered, in an FTP map, with the traffic flow identified in a class map.
Step 4 Enable the policy on an interface, or on a global basis.

Use the ftp-map command to define which FTP commands should be blocked. After the administrator enters the ftp-map command and a map name, the system enters the FTP map configuration mode. The deny-request-cmd command enables the administrator to list which FTP request commands should be blocked. In the example in Figure , the inbound_ftp ftpmap was defined. The inbound_ftp ftp-map identifies the commands to be filtered.

In the example in Figure , the inbound_ftp ftp-map identifies six FTP request commands to filter. The class map inbound_ftp_traffic matches traffic defined by access-list 101, FTP traffic between any host and host 192.168.1.11, the FTP server. In the inbound policy map, the FTP command request restrictions defined in the ftp map inbound_ftp, are associated with the inbound_ftp_traffic class of traffic. Lastly, the inbound policy is enabled on the outside interface.