Hi,

I need help, I set a Raw Rules for port scanners with allow port 21 FTP to connect.

now my problem is when users connect VPN and using FTP to transfers huge files size, their IP will block by port scanners.
how to allow port scanners is wont detect my client ip when using FTP transfers and port scanner raw rules is still enable ?

thanks.

anyone can help ? thanks a lot

Once your users connect via VPN , dont you consider them from a security level as being part of "LAN"?
Why do you still run port scanner protection on them?
You can maybe exclude the VPN connected clients via address lists from port scanner, or add the VPN interface to LAN i/f list.

Or do you mean your clients get caught into the "port-scan" address list BEFORE they have established VPN connection?
(I guess not as you say they donwload FTP files, which I think means, they are connected to VPN and FTP is tunneled through VPN?)

Once your users connect via VPN , dont you consider them from a security level as being part of "LAN"?
yes, them is already security level as being part of "LAN"

Why do you still run port scanner protection on them?
I run the port scanner is block from outsider who is attack ours network. but now problem for port scanner is when my users using Filezilla and transfer bigger file size. Port scanner will auto detect the ip and block it.
I not sure Filezilla using what port to transfer the file and why my users will having block using filezilla?

Once your users connect via VPN , dont you consider them from a security level as being part of "LAN"?
Why do you still run port scanner protection on them?
You can maybe exclude the VPN connected clients via address lists from port scanner, or add the VPN interface to LAN i/f list.

Or do you mean your clients get caught into the "port-scan" address list BEFORE they have established VPN connection?
(I guess not as you say they donwload FTP files, which I think means, they are connected to VPN and FTP is tunneled through VPN?)

Once your users connect via VPN , dont you consider them from a security level as being part of "LAN"?
yes, them is already security level as being part of "LAN"

Why do you still run port scanner protection on them?
I run the port scanner is block from outsider who is attack ours network. but now problem for port scanner is when my users using Filezilla and transfer bigger file size. Port scanner will auto detect the ip and block it.
I not sure Filezilla using what port to transfer the file and why my users will having block using filezilla?

if you have the remote public IP address of your VPN clients, add it to a "exclude from port scan protection" address list
which you use with "!" as source address list to exclude those.

PS: Are you creating dynamic interface (like PPPoE etc) which might not be part of LAN. Maybe you need to add dynamic i/f into the interface list (or exlcude them).

is that mean I have to create a new fule for exclude my client ip from port scanner ?

I would get rid of the port scanning rules,,,,,,,,,,, they are more bloatware than effective IMHO.
The fact that they are interfering with your user experience is reason enough to suspend its use until you know more.