Technical Tip: Error "502 Command REST not allowed by policy”

Description

This article describes a possible error that may occur when accessing an FTP server over TLS.

When an Antivirus profile is used and deep-inspection is enabled, the following error is displayed in the FTP program: '502 Command REST not allowed by policy'.

Scope

FortiGate.

Solution

The FTP server is published to the WAN network through a VIP.

The firewall policy includes the following:

• SSL deep inspection.
• Antivirus.
• FTP service allowed (21 ports).
• Proxy-based policy.

FTP connects, except for the FTP command to resume downloading a file after pausing the download.

To resolve this issue configure the protocol option as below while keeping the Antivirus and DPI unchanged.

Configure protocol options as follows:

config firewall profile-protocol-options
    edit <name>
        config ftp
            set ports 21
            set options bypass-rest-command
end

After doing this, if the issue persists, open a ticket with Fortinet support.