Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
KC_Hing
Staff
Staff

Created on ‎10-27-2025 01:34 AM Edited on ‎11-19-2025 10:27 PM By Community Manager

Article Id 416656

Technical Tip: Allowing SFTP connection through FortiProxy

Description This article describes how to configure a SOCKS proxy to allow SFTP server access.
Scope FortiProxy.
Solution

In this scenario, an internal user requests to access SFTP server using a FileZilla client, where FortiProxy acts as an intermediate proxy to authenticate this application access traffic.

 

  1. To enable a SOCKS proxy:

Go to Proxy Settings -> Explicit Proxy -> Select web proxy name -> Select Edit.

Enable the SOCKS Proxy checkbox and enter a port number.

 

Socks1.PNG

 

  1. To configure proxy authentication scheme:

Go to Policy & Objects -> Authentication Rules -> Authentication Schemes -> Create New.

Select the authentication methods.

Note: Socks authentication rule can only support basic or Kerberos authentication methods.

 

Socks2.PNG

 

  1. To configure proxy authentication rule:

Go to Policy & Objects -> Authentication Rules -> Create New.

Select Socket Secure under protocol selection to match SOCKS authentication traffic.

 

Socks3.PNG

 

  1. Create or edit a policy to allow SOCKS proxy traffic.

 

Socks4.PNG

 

  1. Access to an external SFTP server by using the FileZilla client.

 

Socks7.PNG

 

  1. Execute the following commands to confirm user authentication and SOCKS proxy access traffic.

 

diagnose wad user list

diagnose wad filter process-id-by-src <client-ip>
diagnose wad debug enable category sock
diagnose wad debug enable category auth
diagnose debug enable

 

fpx # diagnose wad user list

ID: 5, VDOM: root, IPv4: 10.165.2.76
user name : aduser1@fortilab.local
worker : 0
duration : 8916 seconds
auth_type : IP
auth_method : socks-Basic
pol_id : 1
g_id : 3
user_based : 0
expire : N/A (in use)
LAN:
bytes_in=338753 bytes_out=2865394
WAN:
bytes_in=2851940 bytes_out=299708

fpx #

 

Wad debug: Matching authentication rule
[I][p:962][s:4604] wad_auth_rule_match :1471 match auth rule succ: Socks_Rule
[I][p:962][s:4604] wad_socks_get_user :2743 ss=0x7fb90daf4450 auth-rule=Socks_Rule ip-based=1
[I][p:962][s:4604] wad_hauth_user_node_is_valid :2914 auth find unmatched scheme or auth type user node.(name: aduser1@fortilab.local, scheme: NTLM, IP based)
...
[I][p:962][s:4604] wad_socks_auth_method_response :3119 ss=0x7fb90daf4450 scheme=socks-Basic socks_method=0x02
...
[I][p:962][s:4604] wad_socks_auth_status_proc :1499 authenticate result=success

 

Wad debug: Matching policy rule

[I][p:962] wad_socks_policy_match_one :124 fw_pol_id=1(pol_ctx:mx|A|7?|=p) pflag:H|W|U|A asyn_info=1
[V][p:962] wad_fw_policy_check_user :6411 user_node=0x7fb916c7f758
[I][p:962] __wad_fw_policy_match_user :5875 matched cached grp:Socks_Users
[I][p:962] wad_fw_policy_async_match :6820 pol_ctx:mx|A|7?|=d
[I][p:962] wad_socks_policy_set :1979 match policy-id=1(pol_ctx:mx|A|7?|=d) vd=0:0(ses_ctx:x|Phx|Mde
|H|C|A7|O) pid=962 out_if=3 user=aduser1@fortilab.local (anony:0) 10.165.2.76:58567 -> 194.108.117.16:22 av_idx=0

 

Related article:

Technical Tip: A basic working sample for Telnet over SOCKS 5 Proxy
201
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.