FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 257070

This article describes how traffic is handled in a proxy-based firewall with a UTM profile for FTP over TLS .

Scope FortiGate.

When the FortiGate firewall policy is configured in proxy-based mode IPS/Appctrl/SSL inspection is enabled, explicit FTPS traffic will not flow through it because FTP plaintext traffic is not redirected to WAD. As a result, opportunistic SSL won't be handled, which will result in the FTPS control channel not being decrypted and the data channel not being created.


To improve FTPS handling under the proxy policy, make the following changes:


1) Enable the 'fts-explicit-tls' option under the profile protocol options. This will mean deep-inspection is performed for explicit FTPS sessions and FTPS will always be redirected if deep-inspection is enabled.


config firewall profile-protocol-options

    edit "test"

        config ftp

            set ports 21

            set status enable

            set explicit-ftp-tls <*disable|enable>





set explicit-ftp-tls <enable/disable>


Do not skip SSL options when the protocol's deep-inspection is set to 'disable'.


config firewall ssl-ssh-profile

    edit "no-inspection"

        config ftps

            set status disable

            set client-certificate bypass

            set unsupported-ssl-version allow <--- no longer skip

            set unsupported-ssl-cipher allow <--- no longer skip

            set unsupported-ssl-negotiation allow <--- no longer skip

            set expired-server-cert block

            set revoked-server-cert block

            set untrusted-server-cert allow

            set cert-validation-timeout allow

            set cert-validation-failure block

            set min-allowed-ssl-version tls-1.1 <--- no longer skip





Example firewall policy:


config firewall policy

    edit 1

        set uuid 0d1c7bee-03ca-51ed-c50c-a1dc5f5ed133

        set srcintf "port2"

        set dstintf "port3"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "FTP" "FTP_GET" "FTP_PUT"

        set utm-status enable

        set inspection-mode proxy

        set profile-protocol-options "test"

        set ssl-ssh-profile "deep-inspection"

        set ips-sensor "g-default"

        set logtraffic all


For more information about policy configuration for FTP traffic, see the following article: