For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SanYang's avatar
SanYang
Icon for Cirrostratus rankCirrostratus
Oct 24, 2025

Can F5 restrict the file types transferred via FTP?

Hello expert,

I have set up an FTP Virtual Server.

Can F5 restrict the file types transferred via FTP?

 

Thanks

application delivery
LTM

7 Replies

  • Aswin_mk's avatar
    Aswin_mk
    Icon for MVP rankMVP
    Oct 26, 2025

    Hi SanYang

     

    You need waf module to restrict the files and if you only have LTM , it cannot restrict any files 

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Oct 27, 2025

    For FTP that doesn't seem normally possible. The FTP profile and the FTP commands in iRule don't give this option.

     

    It is probably possible with looking at the data with an iRule and looking for the file name in the PUT command, but that requires some deep iRule knowledge an own development. If your not already an above average user of that it isn't possible.

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Nov 05, 2025

    This article gives nice info about how to set restrictions to FTP with an iRule:

    iRule Security 101 - #07 - FTP Proxy | DevCentral

     

    Below is an iRule that should get you going. You probably also want to check on PUT and MPUT besides STOR.

    when RULE_INIT {
  set DEBUG 1
}

when CLIENT_ACCEPTED {
  if { $::DEBUG } { log local0. "client accepted" }
}

when CLIENT_DATA {
  if { $::DEBUG } { log local0. "----------------------------------------------------------" }
  if { $::DEBUG } { log local0. "payload [TCP::payload]" }
  set client_data [string trim [TCP::payload]]
  #---------------------------------------------------
  # Block or alert specific commands
  #---------------------------------------------------
  switch -glob [string tolower $client_data] {
    "stor *.tar" -
    "stor *.gz" -
    "stor *.tgz" -
    "stor *.tar.gz" -
    "stor *.zip" {
      if { $::DEBUG } { log local0. "LOG: STOR request detected" }
      
      TCP::respond "550 STOR filetype not allowed\r\n"
      TCP::payload replace 0 [string length $client_data] ""
      return
    }
  }      
  TCP::release
  TCP::collect
}

when SERVER_CONNECTED {
  if { $::DEBUG } { log "server connected" }
  TCP::release
  TCP::collect
  clientside { TCP::collect }
}
when SERVER_DATA {
  if { $::DEBUG } { log local0. "payload <[TCP::payload]>" }
  TCP::release
  TCP::collect
}

when CLIENT_CLOSED {
  if { $::DEBUG } { log local0. "client closed" }
}

     

    When  using WinSCP, it shows when the upload is being blocked.