|
When the FortiGate firewall policy is configured in proxy-based mode IPS/Appctrl/SSL inspection is enabled, explicit FTPS traffic will not flow through it because FTP plaintext traffic is not redirected to WAD. As a result, opportunistic SSL won't be handled, which will result in the FTPS control channel not being decrypted and the data channel not being created.
To improve FTPS handling under the proxy policy, make the following changes:
1) Enable the 'fts-explicit-tls' option under the profile protocol options. This will mean deep-inspection is performed for explicit FTPS sessions and FTPS will always be redirected if deep-inspection is enabled.
config firewall profile-protocol-options
edit "test"
config ftp
set ports 21
set status enable
set explicit-ftp-tls <*disable|enable>
end
next
end
set explicit-ftp-tls <enable/disable>
Do not skip SSL options when the protocol's deep-inspection is set to 'disable'.
config firewall ssl-ssh-profile
edit "no-inspection"
config ftps
set status disable
set client-certificate bypass
set unsupported-ssl-version allow <--- no longer skip
set unsupported-ssl-cipher allow <--- no longer skip
set unsupported-ssl-negotiation allow <--- no longer skip
set expired-server-cert block
set revoked-server-cert block
set untrusted-server-cert allow
set cert-validation-timeout allow
set cert-validation-failure block
set min-allowed-ssl-version tls-1.1 <--- no longer skip
end
next
end
Example firewall policy:
config firewall policy
edit 1
set uuid 0d1c7bee-03ca-51ed-c50c-a1dc5f5ed133
set srcintf "port2"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "FTP" "FTP_GET" "FTP_PUT"
set utm-status enable
set inspection-mode proxy
set profile-protocol-options "test"
set ssl-ssh-profile "deep-inspection"
set ips-sensor "g-default"
set logtraffic all
For more information about policy configuration for FTP traffic, see the following article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-a-policy-to-allow-FTP-over-TLS/...
|
