Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
AlexC-FTNT
Staff
Staff

Created on ‎09-21-2022 08:50 AM Edited on ‎07-15-2025 07:25 AM By Staff & Editor

Article Id 224345

Technical Tip: Allowing FTPs over FortiGate: FTPs, sFTP, SFTP - differences and explanations

Description

 

This article describes the FTP suite of protocols (FTPs, sFTP, SFTP). It contains the basic mode of operation, differences, and explanations.

 

Scope

 

FortiGate.

 

Solution

 

Technical terms are explained about what firewall ports need to be open to allow the traffic.


FTP - File Transfer Protocol: uses TCP port 21 for command and TCP port 20 for data transfer. 

  • Active: The client tells the server the port to use for data. (default mode uses port20; not suitable if Firewall does not explicitly opens this port).
  • Passive: Server tells the client which port to use for data. (FTP helper in FortiGate checks the port because the FTP command port is not encrypted. FortiGate opens the session expectation accordingly).
  • TFTP - Trivial File Transfer Protocol (RFC 1350): uses UDP 69; tftp session-helper operates as above.
  • SFTP - Simple FTP (RFC913): uses port 115. Protocol not used anymore (assigned Historic status by the IETF = not used anymore). Nowadays SFTP should read 'sFTP' and refers to 'Secure FTP'.
  • sFTP - Secure FTP (or 'FTP over SSH'; extension of SSH protocol): uses SSH port 22
  • sFTP is not supported/detected by the FTP signature (564518). FortiGate can't differentiate based on the embedded signature of the sFTP from SSH.

A custom signature is needed to block SSH but allow SFTP (Technical Tip: How to block SSH but allow SFTP using the same TCP port 22).

 

FTPs - FTP+Authentication (FTP over TLS or SSL; extension of FTP protocol: uses :

  • Control channel (port 990)
  • Data channel (port 989)


FortiOS support for FTPs is introduced starting with FortiOS 6.4 (and not supported in versions older than 6.4, for Mantis 532698).
'Explicit FTP Proxy' does not work for FTPS prior to FortiOS 6.2.1 (for the same internal ID as above).


FTPs-implicit (outdated) -the entire FTPS session is encrypted; uses: 

  • Control channel (port 990).
  • Separate generic SSL session for data transfer using dynamic ports.


FTPs-explicit: uses:

  • Control channel (port 990)/
  • Secure command channel: requested by AUTH TLS (explicit) or AUTH SSL (implicit) commands.


The ports used for data (client<>server) are negotiated through this channel. If FortiGate has no 'deep-inspection' enabled, it can not know these ports and allow the traffic.

 

Deep-inspection is required in the policy, and proxy-profile must also be adjusted for scanning to find out these ports.

 

  • Secure data channel: requested by PROT command (not enabled by default by the above commands concerning the command channel). Once the firewall allows the session for the data channel, the traffic will pass whether encrypted or not.

 

On FortiGate:

FTP and TFTP are functioning through their corresponding session-helpers.

Deleting these session-helpers may prevent the correct ports from being open. 

SFTP - not used: it can be manually allowed by allowing port 115.

sFTP - allowed: if SSH is allowed, not specifically supported/detected.

FTPs implicit - not used/outdated: it is not supported.

FTPs explicit - adjustments needed: as above.

 

Related articles:

Technical Tip: How to set a policy to allow FTP over TLS

Technical Note: FortiOS support for FTPS (FTP over SSL), configuration of a firewall rule

Technical Tip: FileZilla and authentication against FTP proxy

Technical Tip: Allow explicit FTPS connection over VIP

38562
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.