I had to allow an FTP Client out to an FTP server that was using passive FTP. Passive FTP starts communication on port 21, then gets instructions from the FTP server which dynamic port to use to transfer data.

Although I had a firewall rule to allow all ports to go out for that specific FTP client, file transfer was still blocked. The firewall log showed that the initial traffic on port 21 was allowed through, but all subsequent traffic on the dynamic ports was blocked.

After some digging, I found that the following solved the problem:

• Use SSH to access the firewall
• Use Menu option 4
• Run command: set advanced-firewall ftpbounce-prevention data

After that, the FTP transfers worked immediately.