Description
This article will show the basic SSL VPN web mode setup for FTP Traffic.
Scope
FortiGate.
Solution
Consider this diagram for the scenario:
The complete reference to setup SSL VPN:
SSL VPN best practices | FortiGate / FortiOS 7.0.1 (fortinet.com)
Client IP : 192.168.1.3
FTP Server IP : 192.168.30.2
Fortigate SSLVPN IP : 192.168.1.1
config vpn ssl settings
---truncated---
set default-portal "web-access"
config authentication-rule
edit 1
set users "fortinet" <----- Assign Fortinet user to portal "web-access" profile portal "web-access"
next
---truncated---
config vpn ssl web portal
edit "web-access"
set web-mode enable
config bookmark-group
edit "gui-bookmarks"
config bookmarks
---truncated---
edit "ftp_new"
set apptype ftp
set folder "192.168.30.2/FTP_test" <----- "192.168.30.2" is the FTP server address , "FTP_test" -- is the FTP folder on FTP server.
next
---truncated---
config firewall policy
edit 9
set name "sslvpn"
---truncated---
set users "fortinet" <----- At least a user must be assigned to the SSLVPN firewall policy.
---truncated---
Client login to 192.168.1.1:443 via a web browser:
Once log in to the SSL VPN, the web portal is successful.
The client will be presented with the SSL VPN portal.
To monitor successful login users:
From GUI, go to Dashboard -> Network -> SSL VPN.
After the client selects the ftp_new bookmark, it will be presented with this page. The user and password credential required here is not set up on FortiGate but on the FTP server itself.
Once the client makes a successful login, this page will be presented.
Now check what is happening under the hood:
FGT1 # diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
FGT1 # diagnose debug enable
-- start generating the traffic from login into sslvpn till accessing the FTP server---
--- truncated---
[459:root:172]FTP connect to 192.168.30.2:21..
[459:root:172]sslvpn_policy_match:2254 checking web session
[459:root:172]remote_ip=[192.168.1.3], user=[fortinet], iif=11, auth=1, dsthost=[192.168.30.2], portal=[web-access] realm=[(null)], dst=192.168.30.2, dport=21, service=[ftp]
[459:root:172]sslvpn_policy_match:2279 policy check cache found [accept]
[459:root:172]FTP user response: 331 Password required
[459:root:172]FTP pass resp: 230 User logged in.
[459:root:172]FTP send: PWD
[459:root:172]FTP PWD resp: 257 "/" is current directory.
[459:root:172]FTP send: PWD
[459:root:172]FTP PWD resp: 257 "/" is current directory.
[459:root:172]FTP send: PASV
[459:root:172]FTP PASV resp: 227 Entering Passive Mode (192,168,30,2,224,37).
.
[459:root:172]FTP data contect to host 192.168.30.2:57381. <----- Firewall tries to connect to FTP server.
[459:root:172]FTP send: LIST
[459:root:172]FTP read download resp: 125 Data connection already open; Transfer starting. <----- If the connection is successful.
[459:root:0]rmt_ftpclient_parse_result: (null)
######### <----- This is the content downloaded from FTP server.
04-26-23 10:00AM <DIR> New folder
04-26-23 10:00AM <DIR> New folder (2)
[459:root:172]FTP read download resp: 226 Transfer complete.
[459:root:172]FTP send: QUIT
[459:root:172]FTP QUIT resp: 221 Goodbye.
---- truncated---
Important Tip:
- SSL VPN web mode works like a reverse proxy while the SSL VPN client is not assigned with SSL VPN IP address.
- When SSL VPN web mode connects to the server, make sure to allow the FortiGate's IP address that is being used to connect to that server, not SSL VPN client IP address.
Note:
Complete config and debug are on the attachment.
From v7.6.0, the SSL VPN function has been removed from models with 2GB of RAM: SSL VPN removed from 2GB RAM models for tunnel and web mode
Starting from v7.6.3, the SSL VPN tunnel mode will no longer be supported for all FortiGate models, and SSL VPN web mode will be called 'Agentless VPN'. Agentless VPN (formerly SSL VPN web mode) not supported on FortiGate 40F, 60F, and 90G series models
