FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes a situation with FortiGate units running FortiOS 7.2.10 and later when operating in Flow mode with IPS or Deep Inspection enabled, and the FTPS file transfer is not working.
When using explicit FTPS, after the TLS AUTH negotiation, the data channel (high-port session) is initiated. Because the traffic is encrypted, the kernel session helper cannot extract the required session information and fails to create the expected session. As a result, the FortiGate denies the data connection.
Scope
FortiGate units running FortiOS v7.2.10 and later.
Solution
Trigger condition: Attempt to use explicit FTPS over a policy configured to allow only the FTP service.
Workaround: Temporarily allow all outgoing ports to the destination FTPS server in the policy; this will enable the high-port session to be established.
Final Solution: Will be released on FortiOS to v7.4.10 and v7.6.5.
