FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sandeep_FTNT
Staff
Staff
Description
This article describes how to configure and troubleshoot ftp proxy on FortiGate.

Solution
The FortiGate ftp explicit feature enables explicit FTP proxying of IPv4 and IPV6 traffic on one or more FortiGate interfaces.
To access ftp services, users on a network must configure their ftp application to
use the explicit proxy and set the proxy server address to the IP address of the FortiGate interface that has explicit proxy enabled.
From GUI:

-Go to System -> Feature visibility and make sure Explicit Proxy is enabled
-Go to Network -> Interface -> explicit proxy and enable Explicit FTP proxy

Then select the interface in which FortiGate needs to listen for ftp proxy, select desired port number.


From CLI:
#config ftp-proxy explicit
    set status enable
    set incoming-port 8021
end
On listening interface make sure explicit proxy is enabled.
#config system interface
    edit "port10"
        set vdom "root"
        set ip 10.120.0.61 255.255.252.0
        set allowaccess ping https ssh http
        set type physical
        set explicit-ftp-proxy enable
        set sbnmp-index 12
    next
end
Configure proxy policy to wan interface and enable proxy service as ftp.
#config firewall proxy-policy
    edit 1
        set uuid dl8ec384-b98f-51e9-31de-dl0439a57987
        set proxy ftp
        set dstfintf "port9"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
    next
Configuration from FTP client:



Logs from ftp client.

STATUS>    Connecting to 'speedtest.tele2.net' on port 21 through proxy "10.120.0.61" on port 8021.
STATUS>    Connecting to '10.120.0.61' on port 8021.
STATUS>    Connected to '10.120.0.61' on port 8021 from 10.120.0.174:50658.

COMMAND:

-USER: anonymous@speedtest.tele2.net.
-Provide password information according to the following format:
[[proxy-passwd:[proxy-token:]]remote_passwd.   
 
Note that if a proxy-user is used as part of the user-name, provide a proxy-passwd as part of the password.
Furthermore, proxy-token can only be provided in the password if proxy-user has been provided.


COMMAND:

PASS  ****
Login successful.
STATUS>    Login successful.

CLI debug on Fortigate:
#diagnose wad debug enable level info
#diagnose wad debug enable category ftp
#diagnose debug enable

Contributors