Skip to main content
XavierMP
XavierMP
New Member
October 11, 2021
Question

Fortigate allow outbound FTP over TLS

  • October 11, 2021
  • 2 replies
  • 5337 views
Hi, I want to allow FTP clients in my LAN to connect to FTP servers outside over TLS. The server is listening in port 21 but after the initial communication client and server must communicate in a high port, but it seems the Fortigate doesn't open those ports. If I allow all the outbound ports the transfer works.

I have tried with this guide with no luck: https://kb.fortinet.com/kb/documentLink.do?externalID=FD52155

I think I am not doing well configuring the deep inspection

Any help?

Thank you

2 replies

abarushka
Staff
abarushka
Staff
April 19, 2022

Hello,

I would like to ask whether inspection mode is set to proxy or flow?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Allow-explicit-FTPS-connection-over-VIP/ta-p/189531

esalija
Staff
esalija
Staff
April 16, 2023

Explicit FTPS is hence only supported with a combination of proxy-based inspection, IPS and deep inspection.

 

# config firewall policy
    edit 3
        set name "FTP"
        set uuid fdb707ba-cfa3-51eb-1be1-c632b14d101c
        set srcintf "port3"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "FTP"
        set action accept
        set schedule "always"
        set service "FTP" "FTP_GET" "FTP_PUT"
        set utm-status enable
        set inspection-mode proxy           <-----
        set ssl-ssh-profile "FTP-scan"      <-----
             set ips-sensor "default"       <-----
        set logtraffic all
    next
end

Terms & ConditionsAccessibility statement