Description
This article describes how to setup a policy to allow traffic to use FTP over TLS.
Scenario.
When trying to connect to an FTP server using TLS two options are available: explicit or implicit.
An explicit connection in active mode will allow to connect to a FTP server using the regular port 21 for the control channel and the server will initiate a connection back to the client using port 20 as source. \
The connection starts, initially, in plain text but once the SSL certificates are negotiated the connection is then encrypted.
In passive mode, it is the client who initiates both control and data channel.
The control channel is still negotiated over port 21 but the data channel is negotiated within a specific range between the server and the client and already over an encrypted channel.
For an implicit connection the process is similar but with a major difference, the connection is encrypted right from the start using port 990 (with port 989 used as server source for the data channel in active mode).
But regardless of the method used one thing is for sure, the communication will be at some point encrypted and the firewall in between, needs to be aware of which ports are being used for the data-channel in order to allow traffic, so it needs to be able to inspect it.
Session helpers are used in protocols such as FTP or SIP due to the multiple connections that have to be established to complete the flow of information.
It helps FortiGate to open the necessary ports for the extra sessions to be able establish the communication.
However, when using FTP over TLS, the firewall cannot check the port for the data-channel and as a consequence the traffic will not be allowed.
That is why, it is necessary to enable SSL inspection so traffic can be inspected and the ports revealed to the session helpers.
Solution
The following screenshot shows a typical plain text FTP connection where the authentication takes place and even the username and password in plain text:
Let check and example of FTP over TLS with an implicit connection:
In the FortiGate, a control session has been created:
As consequence the following will be visible on the FTP client and server (FileZilla was used for this example):
FG100E-7 (root) # diagnose sys session listBut any session for the data channel as the traffic is not being inspected therefore FortiGate does not know which ports are being used.
session info: proto=6 proto_state=01 duration=88 expire=3511 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu f00
statistic(bytes/packets/allow_err): org=92/2/1 reply=52/1/1 tuples=2
tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=11->7/7->11 gwy=10.109.51.153/10.245.3.211
hook=post dir=org act=snat 10.245.3.211:30969->10.109.51.153:990(10.109.48.248:30969)
hook=pre dir=reply act=dnat 10.109.51.153:990->10.109.48.248:30969(10.245.3.211:30969)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=0005c800 tos=ff/ff app_list=0 app=0 url_cat=0
vwl_mbr_seq=0 vwl_service_id=0
rpdb_link_id=00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=0x000c00
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=66/70, ipid=70/66, vlan=0x0000/0x0000
vlifid=70/66, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=0/2
total session 1
As consequence the following will be visible on the FTP client and server (FileZilla was used for this example):
Server.
Control messages went through but it fails to open the data connection.
Client.
Because at this stage the policy on FortiGate is not doing any deep inspection:
So in order to allow data to flow, it is necessary to add deep inspection:
Because enabling deep inspection by itself will not inspect any traffic necessary to add an extra security profile to the policy so we add IPs with the default profile to allow all the traffic.
Now ports can be inspected, learned by session helpers and connection can be established.
Now ports can be inspected, learned by session helpers and connection can be established.
