Technical Tip: Configure and troubleshoot an FTP proxy

Sandeep_FTNT · ‎11-14-2019

Description

This article describes how to configure and troubleshoot an FTP proxy on FortiGate.

Scope

FortiGate.

Solution

The FortiGate FTP explicit feature enables explicit FTP proxying of IPv4 and IPV6 traffic on one or more FortiGate interfaces.
To access ftp services, users on a network must configure their ftp application to use the explicit proxy and set the proxy server address to the IP address of the FortiGate interface that has explicit proxy enabled.

From the GUI:

Go to System -> Feature visibility and make sure Explicit Proxy is enabled.
Go to Network -> Interface -> explicit proxy and enable Explicit FTP proxy.

Then select the interface in which FortiGate needs to listen for FTP proxy, and select the desired port number.

From CLI:

config ftp-proxy explicit
set status enable
set incoming-port 8021

set ssl enable <-- Allows FortiGate connections to Encrypted Explicit Mode FTP Server.
set ssl-cert "Fortinet_Factory"
set ssl-dh-bits 2048
set ssl-algorithm high
end

On the listening interface, make sure the explicit proxy is enabled.

config system interface
    edit "port10"
        set vdom "root"
        set ip 10.120.0.61 255.255.252.0
        set allowaccess ping https ssh http
        set type physical
        set explicit-ftp-proxy enable
        set sbnmp-index 12
    next

end

Configure proxy policy to the WAN interface and enable proxy service as FTP.

config firewall proxy-policy
    edit 1
        set uuid dl8ec384-b98f-51e9-31de-dl0439a57987
        set proxy ftp
        set dstfintf "port9"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set ssl-ssh-profile "deep-inspection" <-- Allows FortiGate connections to Encrypted Explicit Mode FTP Server.
    next

Note: If SSL is not enabled on 'ftp-proxy explicit' settings in combination with 'deep-inspection' on the firewall proxy-policy, FortiGate would be able to connect only to Plain-Text FTP Servers. Enabling SSL and deep-inspection allows FortiGate to connect to Encrypted Explicit Mode FTP Servers on Port 21.

Related documentation: FTP proxy.

Configuration from the FTP client:

Logs from the FTP client.

STATUS>    Connecting to 'speedtest.tele2.net' on port 21 through proxy "10.120.0.61" on port 8021.
STATUS>    Connecting to '10.120.0.61' on port 8021.
STATUS>    Connected to '10.120.0.61' on port 8021 from 10.120.0.174:50658.

COMMAND:

USER: anonymous@speedtest.tele2.net.
Provide password information according to the following format: [[proxy-passwd:[proxy-token:]]remote_passwd.

Note that if a proxy-user is used as part of the user name, provide a proxy-passwd as part of the password.
Furthermore, proxy-token can only be provided in the password if proxy-user has been provided.

Command:

PASS ****
Login successful.
STATUS: Login successful.

For troubleshooting FTP Proxy cases, enable WAD debugging on FortiGate:

diagnose debug console timestamp enable

diagnose wad debug enable level verbose

diagnose wad debug display pid enable

diagnose wad debug enable category ftp

diagnose wad filter dst x.x.x.x <- Replace the x.x.x.x with FTP server IP.

diagnose wad filter list

diagnose wad debug show

diagnose debug enable

When using FTP Over HTTP, the configuration must be as follows:

config web-proxy explicit
set status enable
set ftp-over-http enable <- This option must be enabled.

set http-incoming-port 8020
set https-incoming-port 8080
set ftp-incoming-port 8021

config system interface
    edit "port10"
        set vdom "root"
        set ip 10.120.0.61 255.255.252.0
        set allowaccess ping https ssh http
        set type physical
        set explicit-ftp-proxy enable

set explicit-web-proxy enable
set sbnmp-index 12

Technical Tip: Configure and troubleshoot an FTP proxy

You are leaving our website