Thanks - so what would be the work-around in the meantime? Specifically, we have users who use IE/Windows Explorer as their FTP client to transfer files to and from our internal server in the DMZ. They have always had the "Use Passive" options checked which worked until we moved to the PA firewalls. Now it does not work. The same FTP server (using an identical security rule) performs fine externally using PASV mode. The only difference, as you mentioned, is the NAT rule: from the trust zone it uses a dynamic ip-and-port source translation, and from untrust it uses destination translation on TCP 21. Is there anything we can do on the firewall to work around this issue?
... View more