This article explains how FTP over TLS traffic is handled by a FortiGate when using a proxy-based firewall policy with security inspection UTM features (specifically IPS and/or Application Control) enabled, but without deep inspection.

When the firewall policy on FortiGate is configured to use proxy-based inspection mode with security features such as IPS and/or Application Control enabled, along with certificate inspection, explicit FTPS traffic is not forwarded to the WAD process. As a result, the traffic is not subjected to deep inspection. This creates an issue because the FTPS control channel remains un-scanned, preventing FortiGate from creating expectation sessions (pinholes) required for the FTPS data channel. As a result, FTPS data transfers may fail.

To address this issue, make the following changes: 

To ensure deep inspection of explicit FTPS traffic, enable the explicit-ftp-tls option under the Protocol Options profile. This setting acts as an override, forcing FTPS traffic to be redirected to the WAD process for inspection, regardless of the SSL inspection profile configured in the firewall policy. When enabled, FortiGate can properly scan the FTPS control channel and dynamically open pinholes for the data channel. Without this option, the data traffic may be blocked if there is no explicit firewall policy allowing it.

config firewall profile-protocol-options

    edit "test"

        config ftp

            set ports 21

            set status enable

            set explicit-ftp-tls <*disable|enable>

        end

    next

end

set explicit-ftp-tls <enable/disable>

      explicit-ftp-tls          Enable/disable FTP redirection for explicit FTPS.

If an SSL deep-inspection profile is applied in the firewall policy, FTPS traffic is automatically redirected to the WAD process for deep inspection. In this case, enabling the explicit-ftp-tls option is not required, as deep inspection will already be performed.

Additionally, enabling the explicit-ftp-tls option has a secondary effect. Certain SSL-related checks are enforced even if FTPS is disabled in the SSL profile (e.g., when 'Inspect All Ports' is not selected). Without this option, such checks are skipped when SSL inspection is not explicitly enabled for FTPS ports. For example, with explicit-ftp-tls enabled and the SSL profile set to certificate inspection or no-inspection, FTPS traffic will still be blocked if it uses an unsupported SSL version.

• unsupported-ssl-version
• unsupported-ssl-cipher
• unsupported-ssl-negotiation
• min-allowed-ssl-version

FortiGate no longer skip ssl options when protocol's deep-inspection is set to disable and explicit-ftp-tls enabled.

config firewall ssl-ssh-profile

    edit "no-inspection"

        config ftps

            set status disable

            set client-certificate bypass

            set unsupported-ssl-version allow <- No longer skips.

            set unsupported-ssl-cipher allow <- No longer skips.

            set unsupported-ssl-negotiation allow <- No longer skips.

            set expired-server-cert block

            set revoked-server-cert block

            set untrusted-server-cert allow

            set cert-validation-timeout allow

            set cert-validation-failure block

            set min-allowed-ssl-version tls-1.1 <- No longer skips.

        end

    next

end

Related article:

Technical Tip: UTM/Security Profiles' precedence (order of inspection) during packet flow