Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff & Editor
Staff & Editor

Created on ‎07-28-2021 01:53 AM Edited on ‎04-21-2025 09:40 PM By Community Manager

Article Id 189531

Technical Tip: Allow explicit FTPS connection over VIP

Description

 

This article describes how to allow an explicit FTPS connection over VIP.

Diagram.



Solution

 

  • Explicit FTPS is a method that allows clients to request the server to create a data connection using SSL/TLS. Since the connection is encrypted, FTPS is not supported by the FTP session helper and hence does not open the necessary pinhole. Likewise, flow mode of inspection does not support FTPS as IPS engine cannot read the encrypted payload.
  • Explicit FTPS is hence only supported with a combination of proxy based inspection and deep inspection. WAD process can read the encrypted payload and create the 'expectation session' for the incoming data connection. 
  • Explicit FTPS with passive mode on a FortiGate using a Virtual IP (VIP), both control (port 21) and a defined passive port range must be opened and forwarded. Passive mode requires explicit firewall policy since the server dynamically instructs the client which port to use for data transfer.

Note:

Even with SSL deep inspection enabled, FortiGate cannot automatically open passive ports on the VIP external IP, these must be manually configured.

 
Configuration and verification.

 

Custom Ports.

 

config firewall service custom
        edit "FTPS-PASV"
        set tcp-portrange 50000-51000
    next
end


VIP.

 

config firewall vip
    edit "FTPS-VIP"
        set extip 10.230.4.72
        set mappedip "10.220.3.202"
        set extintf "any"
        set portforward enable
        set extport 21
        set mappedport 21
    next
end

    edit "FTPS-Passive"
        set extip 10.230.4.72
        set mappedip "10.220.3.202"
        set extintf "any"
        set portforward enable
        set extport 50000-51000
        set mappedport 50000-51000
    next
end

 

Policy.

 

config firewall policy
    edit 3
        set name "FTPS"
        set srcintf "port3"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "FTPS-VIP" "FTPS-Passive"
        set action accept
        set schedule "always"
        set service "FTP" "FTP_GET" "FTP_PUT" "FTPS-PASV"
        set utm-status enable
        set inspection-mode proxy           <-----
        set ssl-ssh-profile "FTP-scan"
        set av-profile "default"
        set webfilter-profile "default"
        set ips-sensor "default"
        set logtraffic all
    next
end

 

SSL inspection profile.

 

config firewall ssl-ssh-profile
    edit "FTP-scan"
        # config https
            set ports 443
            set status deep-inspection
            set expired-server-cert allow
            set revoked-server-cert allow
            set cert-validation-failure allow
            set sni-server-cert-check disable
        end
        ...
        config ftps
            set ports 990
            set status deep-inspection       <-----
            set expired-server-cert allow
            set revoked-server-cert allow
            set cert-validation-failure allow
        end
        .
        .
        set block-blocklisted-certificates disable
        set ssl-anomalies-log disable
    next

 

WAD debugs indicate the creation of a pinhole session.

 

removed command PASV from cmd queue.
2021-07-26 21:42:05.094380 [p:508][s:40738626] wad_ftp_exec_state(3954): received event REPLY in state NORMAL
2021-07-26 21:42:05.094442 [p:508][s:40738626] wad_ftp_pasv_reply_handler(1180): offer_ip=10.220.3.202 offer_port=50756
2021-07-26 21:42:05.094643 [p:508][s:40738626] wad_ftp_tp_ses_exp_free(168): fts=0x7f52db54a9c8, exp=(nil)
2021-07-26 21:42:05.094663 [p:508][s:40738626] wad_exp_tcp_in_find(190): proto=6 vd=0 ->10.220.3.202:50756 exp_tcp_in=(nil)
2021-07-26 21:42:05.094862 [p:508][s:40738626] wad_exp_tcp_in_open(228): bound to proto=6 dest=10.220.3.202:50756 vd=0 fd=83 local=0 tin(0x7f52dca666d0)
Control session tuple: 10.230.4.86:60919 -> 10.230.4.72:21 vf 0 vrf 0
Expect session tuple: 10.230.4.86:0 -> 10.230.4.72:50756(10.220.3.202:50756) vf 0 vrf 0
                     dir 0  act 2  hook 0 state 0 ops 0  skip 0

redirect: TCP 10.230.4.86:0 -> 10.230.4.72:50756 DNAT 10.220.3.202:50756
2021-07-26 21:42:05.095216 [p:508][s:40738626] wad_ftp_exec_state(3980): transitioned from state NORMAL to state NORMAL
2021-07-26 21:42:05.095224 [p:508][s:40738626] __wad_ftp_session_proc_reply(706): forwarded reply to client: ftp cmd=PASV, reply code=227
2021-07-26 21:42:05.095232 [p:508][s:40738626] wad_ips_port_out_read_br(262): ips_conn=0x7f52dcaf9a90, len=48

 

Flow debugs.

 

2021-07-26 21:41:53 id=20085 trace_id=138132 func=print_pkt_detail line=5723 msg="vd-root:0 received a packet(proto=6, 10.230.4.86:60919->10.230.4.72:21) from port3. flag [S], seq 1747348908, ack 0, win 64240"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=init_ip_session_common line=5894 msg="allocate a new session-026d9f42"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=fw_pre_route_handler line=184 msg="VIP-10.220.3.202:21, outdev-port3"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=__ip_session_run_tuple line=3503 msg="DNAT 10.230.4.72:21->10.220.3.202:21"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=vf_ip_route_input_common line=2621 msg="find a route: flag=04000000 gw-10.220.3.202 via port2"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=fw_forward_handler line=819 msg="Allowed by Policy-3: AV"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=ids_receive line=298 msg="send to ips"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=av_receive line=314 msg="send to application layer"
.
.
2021-07-26 21:42:05 id=20085 trace_id=138192 func=print_pkt_detail line=5723 msg="vd-root:0 received a packet(proto=6, 10.230.4.86:60921->10.230.4.72:50756) from port3. flag [S], seq 3571380554, ack 0, win 64240"
2021-07-26 21:42:05 id=20085 trace_id=138192 func=resolve_ip_tuple_fast line=5819 msg="Find an EXP session, id-026d9f42."
2021-07-26 21:42:05 id=20085 trace_id=138192 func=__ip_session_run_tuple line=3503 msg="DNAT 10.230.4.72:50756->10.220.3.202:50756"

 

Sniffer.

 

2021-07-26 19:41:53.694768 port3 in 10.230.4.86.60919 -> 10.230.4.72.21: syn 1747348908                   <----- Control. connection                                                                                                                                                
2021-07-26 19:41:53.700869 port3 out 10.230.4.72.21 -> 10.230.4.86.60919: syn 1095480473 ack 1747348909                                                                                                                                                             95480473 ack 1747348909
2021-07-26 19:41:53.702645 port3 in 10.230.4.86.60919 -> 10.230.4.72.21: ack 1095480474                                                                                                                                                             5480474
2021-07-26 19:41:53.782756 port2 out 10.230.4.86.60919 -> 10.220.3.202.21: syn 1560759456
2021-07-26 19:41:53.788120 port2 in 10.220.3.202.21 -> 10.230.4.86.60919: syn 2105481383 ack 1560759457                                                                                                                                                            05481383 ack 1560759457
2021-07-26 19:41:53.788290 port2 out 10.230.4.86.60919 -> 10.220.3.202.21: ack 2105481384
.
.
2021-07-26 19:42:05.235631 port3 in 10.230.4.86.60921 -> 10.230.4.72.50756: syn 3571380554                <----- Data connection.
2021-07-26 19:42:05.290253 port3 out 10.230.4.72.50756 -> 10.230.4.86.60921: syn 4276598741 ack 3571380555
2021-07-26 19:42:05.291111 port3 in 10.230.4.86.60921 -> 10.230.4.72.50756: ack 4276598742
2021-07-26 19:42:05.302010 port2 out 10.230.4.86.60921 -> 10.220.3.202.50756: syn 3496112363                                                                                                                                                         n 3496112363
2021-07-26 19:42:05.307813 port2 in 10.220.3.202.50756 -> 10.230.4.86.60921: syn 3328349616 ack 3496112364                                                                                                                                                         3328349616 ack 3496112364
2021-07-26 19:42:05.307866 port2 out 10.230.4.86.60921 -> 10.220.3.202.50756: ack 3328349617

 

Related articles:

Technical Tip: How to set a policy to allow FTP over TLS

Technical Note: FortiOS support for FTPS (FTP over SSL), configuration of a firewall rule

Technical Tip: FileZilla and authentication against FTP proxy

Technical Tip: Allow explicit FTPS connection over VIP

9177
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.