KB Article | Forcepoint Support

Problem Description

When end users attempt to connect to an FTP server, the firewall sends them the following prompt:
 
220-Firewall ftp proxy. You must login to the proxy first.
220 Use proxy-user:auth-method@destination.
Name (si_ipaddr:proxy-user):
 

Resolution

Cause

The prompt is because the non-transparent FTP proxy needs the login and destination information to determine which rule will allow the connection.

Solution

Instruct end users that they will be prompted to supply a user name, authentication method, and destination, even if the associated allow rule does not require authentication. Instruct users to respond to the Name (si_ipaddr:username): prompt by entering the @ sign followed by the FTP server’s IP address, as shown in this example:
 
Name (si_ipaddr:proxy-user):@123.11.12.123

Users who incorrectly put a user name before the prompt are still allowed access to the FTP server through the non-transparent FTP rule that does not require authentication. The firewall handles entries containing user names that do not match any existing FTP rule and entries without a user name in the same manner.


Keywords: sidewinder; ftp proxy; nontransparent; authentication; ftp server; non-transparent FTP

Article Feedback



Thank you for the feedback and comments.