I’m checking out predefined rules for Web Browser. Under the “Allow Outgoing FTP-PASV Requests” rule, the Destination Port has a check mark at “Exclude” (a set of ports … privileged ports). Shouldn’t it be the other way around (i.e. without the check mark at Exclude)?
I can’t confirm whether this is the default setting, or I accidentally checked it at some point, though.
Exclude is checked by default in the original configuration - it’s not something that you’ve done.
I believe this is done to force the FTP server to use transfer ports above 1023 (it actually should be above 1056, but that’s by the by). This is the nature of PASV FTP.
A good, plain English explanation of this can be found at Active FTP vs. Passive FTP, a Definitive Explanation.
Hope this helps,
Ewen 
Yes, it makes sense now, thanks. 8)