When authenticating FTP traffic on the ProxySG, the authentication mode of "Proxy" should be used.
It is important to use "Proxy" authentication mode because it does not use a surrogate such as an IP address when authenticating. In other words, authentication is not cached. So the proxy is expecting authentication credentials each time you login via FTP. The reason this is necessary is because when using an IP surrogate such as with the authentication mode of "Proxy IP", the proxy is not expecting the credentials when a user is already authenticated on the proxy from a previous transaction. So in this case, when proxy credentials are provided, the login fails.
Example of CPL rule set to authenticate FTP with authentication mode of "Proxy" (with a rule under it to authenticate everything else with "Proxy IP" mode: