This problem happens because the Web Application Delivery (WAD) process returns a 2xx response to the client before the data connection with the FTPS server is totally established, leading to connection failure.

Symptoms:

• FTPS connections fail during the SSL handshake phase.
• Premature 2xx responses from the server before the data connection is fully established.
• Error messages in logs, such as:
• SSLHandshakeException: Remote host closed connection during handshake
• javax.net.ssl.SSLHandshakeException

Cause: The WAD process on FortiProxy returns a 2xx response to the client too early, before the SSL handshake and data connection with the FTPS server are fully established. This results in an incomplete SSL handshake and a failed connection.

Definitive Solution: This issue has been resolved in the following versions:

• FortiProxy 7.2: Interim version 278175
• FortiProxy 7.4.4 and later versions

FortiProxy 7.4.4 release notes.

Workaround: A possible workaround is to create a specific proxy policy for the FTPS server's IP address and place it at the top of all other policies. However, do not include a deep inspection profile in this policy.

Important Note:

• Simply creating a policy without deep inspection may not work because FortiProxy requires SSL deep inspection to process FTPS connections with explicit encryption.
• The FortiProxy device must decrypt the connection to monitor the FTP control channel and dynamically open the data channel.

Adding the FTPS server to the decryption exception list may require leaving the security policy more open to enable static setup of the data channel. This configuration allows FortiProxy to accept the connection with explicit encryption while stopping the decryption process.