FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 196893

This article explains how to configure a firewall rule for FTPS (FTP over SSL).


All FortiOS users.

Currently there is no session helper for FTP over SSL on the FortiGate.
The PORT commands sent by the client (active FTPS) or the "Entering Passive Mode" reply from the server (Passive FTPS) are encrypted.  The port numbers and IP address are not visible in clear data. Therefore the FTPS data session are opened with port numbers which are unknown to the FortiGate.
A workaround may be possible, consisting of the following:-
1. Determine the FTP Server Port Range on the FTP Server (This must be defined on the FTP Server.)
2. Create an external-internal Firewall policy (FTP Server on the internal network of the FortiGate). Allow the port range through the firewall, including ports 989 and 990 for data control.  Within this Firewall policy limit connectivity to only the IP address of the FTP Server.

FGT50B3G06500087 (address) #
config firewall address
edit "FTP Server"
set associated-interface "internal"
set subnet

FGT50B3G06500087 # config firewall service custom
FGT50B3G06500087 (custom) # show

config firewall service custom
edit "ftp-ports"
set protocol TCP/UDP/SCTP
set set tcp-portrange 990 50001-50999:50001-50999 (if ftp-data ports have been tuned on the ftp server)
set tcp-portrange 990 1-65535 (if ftp-data ports have not been changed)

edit 2
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "FTP Server"
set action accept
set schedule "always"
set service "FTP" "FTP_GET" "FTP_PUT" "ftp-ports"
set logtraffic enable

3.   Place this Firewall policy at the top of the policy list.
4.   Test the FTPS connection from the FTP Client to the FTP Server.