Once your users connect via VPN , dont you consider them from a security level as being part of "LAN"?
Why do you still run port scanner protection on them?
You can maybe exclude the VPN connected clients via address lists from port scanner, or add the VPN interface to LAN i/f list.
Or do you mean your clients get caught into the "port-scan" address list BEFORE they have established VPN connection?
(I guess not as you say they donwload FTP files, which I think means, they are connected to VPN and FTP is tunneled through VPN?)
Once your users connect via VPN , dont you consider them from a security level as being part of "LAN"?
yes, them is already security level as being part of "LAN"
Why do you still run port scanner protection on them?
I run the port scanner is block from outsider who is attack ours network. but now problem for port scanner is when my users using Filezilla and transfer bigger file size. Port scanner will auto detect the ip and block it.
I not sure Filezilla using what port to transfer the file and why my users will having block using filezilla?