Hi Bourne,
Start with using this objects in two seperated policies (its a copy paste from gui policy objects):
FTP-Get TCP src port 0-65535, dst port:21 Same as FTP if used in DENY/REJECT policies; FTP download only if used in PERMIT/TUNNEL policies(upload blocked)
FTP-Put TCP src port 0-65535, dst port:21 Same as FTP if used in DENY/REJECT policies; FTP upload only if used in PERMIT/TUNNEL policies(download blocked)
On the FTP PUT you configure firewall authentication.
You must define local users or a authenticationserver first.
Gavrilo