Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
shafiq23
Staff
Staff

Created on ‎02-27-2023 11:47 PM

Article Id 247471

Technical Tip: How to configure FTP security server policy with SSL offloading

Description This article describes how to configure the FTP security server policy with SSL offloading.
Scope FortiWeb and FortiWeb VM in reverse proxy.
Solution

Generally, enabling SSL encryption on an FTP server does require additional CPU and memory resources to handle the encryption and decryption of data.

However, the impact would vary on factors such as the number of concurrent connections, the size of the files being transferred, and the available server resources.

 

In a network environment where the FTP server does not enable with SSL encryption, it poses security concerns where clients would transfer or download files in clear text.

 

By offloading SSL in FortiWeb FTP security, FortiWeb terminates the SSL connection from the client, decrypts the traffic, and forwards it to the backend FTP server in clear text.

 

Topology:


FTP client > FortiWeb (reverse proxy) > FTP server

 

Requirement:


1) FortiWeb in Reverse Proxy.
2) Virtual Server and Virtual IP.
3) FTP Server.

 

From GUI.

 

Server Pool:
1) Navigate to Server Objects -> Server -> Server Pool.
2) Select Create New -> Create FTP Server Pool.
3) Define server pool name : FileZilla-FTP.
4) Select Server Balance if multiple FTP servers involved.
5) Select OK.
6) Select Create New.
7) Define FTP server IP/Domain: 10.100.3.219.
8) Select OK.
9) Select OK.

 

sn1.PNG

 

Server Policy:
1) Navigate to Policy -> Server Policy.
2) Select Create New > Create FTP Policy.
3) Define policy name: FTPS_ServerPolicy.
4) Select the preferred Virtual Server.
5) Select created FTP Server Pool.
6) Select FTP service.
7) Enable SSL.
8) Select FTP Security Profile if any.
9) Select OK.

 

sn2.PNG

 

Steps to verify:


From GUI:
1) Navigate to Network > Packet Capture.
2) Select Create New.
3) Specify interface, capture filter, and maximum packet count.
4) Select OK.
5) Select 'Start" icon to start packet capture.

6) Simulate FTP traffic against Fortiweb Virtual Server.

7) Select 'Stop' icon to stop packet capture.
8) Select 'Download' icon to download .pcap file.
9) Open .pcap file in Wireshark.
10) Use a flow graph to observe the traffic flow overview in Wireshark.

 

sn3.PNG

 

Encrypted:

10.212.134.27(Client) ---> 10.47.18.81 port 21(Fortiweb VIP)


Unencrypted:

10.100.2.81(Fortiweb IP) ---> 10.100.3.219 port 21(FTP Server)

 

Refer to below documentation for more information on Fortiweb FTP Security:
https://docs.fortinet.com/document/fortiweb/7.0.5/administration-guide/621246/configuring-ftp-securi...
476
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.