Description
This article describes the FTP suite of protocols (FTPs, sFTP, SFTP). It contains the basic mode of operation, differences, and explanations.
Scope
FortiGate.
Solution
Technical terms are explained in relation to what firewall ports need to be open to allow the traffic.
FTP - File Transfer Protocol: uses TCP port 21 for command and TCP port 20 for data transfer.
- Active: server tells the client the port to use for data. (default mode uses port20; not suitable if Firewall does not explicitly opens this port).
- Passive: client tells the server which port to use for data. (FTP helper in FortiGate checks the port because the FTP command port is not encrypted. FortiGate opens the session expectation accordingly).
TFTP - Trivial File Transfer Protocol (RFC 1350): uses UDP 69; tftp session-helper operates as above.
SFTP - Simple FTP (RFC913): uses port 115. Protocol not used anymore (assigned Historic status by the IETF = not used anymore). Nowadays SFTP should read 'sFTP' and refers to 'Secure FTP'.
sFTP - Secure FTP (or 'FTP over SSH'; extension of SSH protocol): uses SSH port 22
sFTP is not supported/detected by the FTP signature (564518). FortiGate can't differentiate based on the embedded signature of the sFTP from SSH.
A custom signature is needed to block SSH but allow SFTP (Technical Tip: How to block SSH but allow SFTP using the same TCP port 22).
FTPs - FTP+Authentication (FTP over TLS or SSL; extension of FTP protocol: uses :
- Control channel (port 990)
- Data channel (port 989)
FortiOS support for FTPs is introduced starting with FortiOS 6.4 (and not supported in versions older than 6.4, for Mantis 532698).
'Explicit FTP Proxy' does not work for FTPS prior to FortiOS 6.2.1 (for the same internal ID as above).
1) FTPs-implicit (outdated) -the entire FTPS session is encrypted; uses:
- Control channel (port 990)
- Separate generic SSL session for data transfer using dynamic ports.
2) FTPs-explicit: uses:
- Control channel (port 990)
- Secure command channel: requested by AUTH TLS (explicit) or AUTH SSL (implicit) commands.
The ports used for data (client<>server) are negotiated through this channel. If FortiGate has no 'deep-inspection' enabled, it can not know these ports and allow the traffic.
Deep-inspection is required in the policy, and proxy-profile must also be adjusted for scanning to find out these ports.
- Secure data channel: requested by PROT command (not enabled by default by the above commands concerning the command channel).
Once the firewall allows the session for the data channel, the traffic will pass whether encrypted or not.
On FortiGate
FTP and TFTP are functioning through their corresponding session-helpers.
Deleting these session-helpers may prevent the correct ports from being open.
SFTP - not used: it can be manually allowed by allowing port 115.
sFTP - allowed: if SSH is allowed, not specifically supported/detected.
FTPs implicit - not used/outdated: it is not supported.
FTPs explicit - adjustments needed: as above.
Other FTP useful guides:
Technical Tip: How to set a policy to allow FTP over TLS
Technical Note: FortiOS support for FTPS (FTP over SSL), configuration of a firewall rule
Technical Tip: FileZilla and authentication against FTP proxy
Technical Tip: Allow explicit FTPS connection over VIP
