Description
This article explains how to configure a firewall rule for FTPS (FTP over SSL).
Scope
All FortiOS users.
Solution
Currently there is no session helper for FTP over SSL on the FortiGate.
The PORT commands sent by the client (active FTPS) or the "Entering Passive Mode" reply from the server (Passive FTPS) are encrypted. The port numbers and IP address are not visible in clear data. Therefore the FTPS data session are opened with port numbers which are unknown to the FortiGate.
A workaround may be possible, consisting of the following:-
1. Determine the FTP Server Port Range on the FTP Server (This must be defined on the FTP Server.)
2. Create an external-internal Firewall policy (FTP Server on the internal network of the FortiGate). Allow the port range through the firewall, including ports 989 and 990 for data control. Within this Firewall policy limit connectivity to only the IP address of the FTP Server.
|
FGT50B3G06500087 (address) #
config firewall address
edit "FTP Server"
set associated-interface "internal"
set subnet 10.147.1.61 255.255.255.255
next
end
FGT50B3G06500087 # config firewall service custom
FGT50B3G06500087 (custom) # show
config firewall service custom
edit "ftp-ports"
set protocol TCP/UDP/SCTP
set set tcp-portrange 990 50001-50999:50001-50999 (if ftp-data ports have been tuned on the ftp server)
OR
set tcp-portrange 990 1-65535 (if ftp-data ports have not been changed)
next
end
edit 2
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "FTP Server"
set action accept
set schedule "always"
set service "FTP" "FTP_GET" "FTP_PUT" "ftp-ports"
set logtraffic enable
next
end |
3. Place this Firewall policy at the top of the policy list.
4. Test the FTPS connection from the FTP Client to the FTP Server.
