🔐 Zscaler Support for Active vs. Passive FTP

Understanding FTP Behavior Through the Zscaler Cloud Proxy and Best Practices for Connectivity

📌 Summary

This article explains how Active and Passive FTP modes behave in Zscaler environments, provides configuration tips, and offers best practices to ensure FTP connectivity through Zscaler Internet Access (ZIA).

⚙️ What is Active vs. Passive FTP?

🧭 Active FTP

• The client initiates the control connection to the server on port 21.

• The server initiates a return data connection from port 20 to the client.

• Requires the client to accept inbound connections, which are typically blocked by proxies/firewalls.

🚦 Passive FTP

• The client initiates both the control and data connections.

• The server responds with a dynamic port for data transfer, and the client connects to it.

• Ideal for clients behind firewalls or proxies like Zscaler.

🛑 Why Active FTP May Fail with Zscaler

When users are behind Zscaler (especially when using Client Connector or a PAC file), Active FTP can fail due to the following:

• Zscaler operates as a cloud proxy, meaning all outbound connections are initiated by the client.

• Return connections (as used in Active FTP) are not permitted inbound through the Zscaler tunnel.

• This design maintains security and traffic control within ZIA.

✅ Recommended Fix: Use Passive FTP Mode

Zscaler fully supports Passive FTP, and this should be the default setting in all FTP clients.

✔ Why Passive FTP Works:

• The client initiates all traffic—both control and data channels.

• No inbound connection is needed, allowing Zscaler to maintain the session securely.

• Works across most network types and client environments.

🛠 FTP Client Configuration

To enable Passive FTP:

1. Open your FTP client (e.g., FileZilla, WinSCP).

2. Navigate to Settings > Connection > FTP.

3. Select “Passive Mode” or “Use Passive (PASV) mode.”

🌐 Additional Configuration Recommendations

🔧 Configuring the FTP Control Policy in ZIA
To configure the FTP Control policy:

1. Go to Policy > FTP Control in the ZIA Admin Portal.

2. Configure the following settings:

   • Allow FTP over HTTP: By default, the Zscaler service doesn't allow FTP over HTTP. Enable this option if required.

   • Allow Native FTP: Enable this option to allow native FTP traffic.

For detailed steps, refer to Configuring the FTP Control Policy.

⚙️ Recommended FTP Control Policy Settings
Zscaler recommends configuring the FTP Control policy as follows:

• Disable the Allow FTP over HTTP option: This prevents FTP over HTTP traffic.

• Disable the Allow Native FTP option: This prevents native FTP traffic.

For more information, see Recommended FTP Control Policy.

🛡️ Supporting FTP Applications in Zscaler Private Access (ZPA)
For organizations using Zscaler Private Access (ZPA), it's important to configure the service to support passive FTP mode traffic. Detailed guidance is available at Supporting FTP Applications.

🔒 FTPS (FTP over TLS) Considerations
Zscaler does not support FTP over TLS in transparent mode. To enable FTPS, configure an explicit proxy in your FTP client settings. For example, in WinSCP, set up the explicit proxy to facilitate FTPS connections. More details can be found in the Zscaler Community discussion on FTPS setup.

🔒 Security Recommendations

• Use Secure Protocols: Prefer SFTP or FTPS for encrypted file transfers and login credentials.

• Define Explicit Policies: Configure firewall rules and URL filters to permit trusted FTP hosts and ports.

• Monitor Traffic: Regularly review session logs in the ZIA Admin Portal for insights into dropped or blocked traffic.

📬 Need Assistance?

If you're still experiencing FTP issues, please contact the SecureDynamics support team at or reach out to your Zscaler VAR for a Free ZIA Health Check.