Okay I believe you could do this to  check  SOCKS and proxy thru a fortigate, not sure about the authentication.

GRYHATKEN:~ kfelix$ curl -v --socks4 1.1.1.1:8081  [link]ftp://ftp.fu-berlin.de/pub/atari/linux/[/link]

*   Trying 1.1.1.1...

* SOCKS4 communication to ftp.fu-berlin.de:21

* SOCKS4 connect to 130.133.3.130 (locally resolved)

* SOCKS4 request granted.

* Connected to 1.1.1.1 (1.1.1.1) port 8081 (#0)

< 220 FTP.FU-Berlin.DE ready.

> USER anonymous

< 331 Anonymous login ok, send send anything as password.

> PASS ftp@example.com

< 230-

<  Welcome at Freie Universitaet Berlin, Germany.

<  Willkommen auf dem FTP-Server der Freien Universitaet Berlin.

<  Ein Service der Zentraleinrichtung fuer Datenverarbeitung (ZEDAT).

<  

< 230 FTP.FU-Berlin.DE login ok.

> PWD

< 257 "/" is the current directory

* Entry path is '/'

> CWD pub

* ftp_perform ends with SECONDARY: 0

< 250 CWD command successful

> CWD atari

< 550 atari: No such file or directory

* Server denied you to change to the given directory

* Connection #0 to host ftp.fu-berlin.de left intact

curl: (9) Server denied you to change to the given directory

GRYHATKEN:~ kfelix$ curl -v --socks5 1.1.1.1:8081  [link]ftp://ftp.fu-berlin.de/pub/atari/linux/[/link]

*   Trying 1.1.1.1...

* 130

* 133

* 3

* 130

* Connected to 1.1.1.1 (1.1.1.1) port 8081 (#0)

< 220 FTP.FU-Berlin.DE ready.

> USER anonymous

< 331 Anonymous login ok, send send anything as password.

> PASS ftp@example.com

< 230-

<  Welcome at Freie Universitaet Berlin, Germany.

<  Willkommen auf dem FTP-Server der Freien Universitaet Berlin.

<  Ein Service der Zentraleinrichtung fuer Datenverarbeitung (ZEDAT).

<  

< 230 FTP.FU-Berlin.DE login ok.

> PWD

< 257 "/" is the current directory

* Entry path is '/'

> CWD pub

* ftp_perform ends with SECONDARY: 0

< 250 CWD command successful

> CWD atari

< 550 atari: No such file or directory

* Server denied you to change to the given directory

* Connection #0 to host ftp.fu-berlin.de left intact

curl: (9) Server denied you to change to the given directory

GRYHATKEN:~ kfelix$

I would 1st start by making sure SOCKS v4/5 works NO_AUTHENTICATION and go from that point by enabling Cauthen and identity policies

Mohammand,

if your following this post, I will PM you something as soon as  I land.

Enjoy 

:)

thanks for your suggestion, i thought about enabling socks but i read previously about it and it didnt read as a good solution

I tried it and what i see....is not really good

- as soon as any Client is able to connect to the socks Proxy, it is completetly unrestricted (no filter works, even not antivirus) and no authentication happens nor is it possible...if you send a username it doesnt care. I read about this behaviour before in this forum i think

Connection through socks is possible, so it is through generic proxy (HTTP) without authentication

At the moment

- Enabling SOCKS creates a whole Bypass of any rules

- Using generic Proxy/HTTP authentication cant be used

Stuck at the moment :(

edit

btw i am currently on 5.4, socks5 auth is only support uppon 5.6

http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-whats-new/Top-Firewall-Transparent-pr...

So on 5.4 i cant use socks5 at the moment

Any ideas for http proxy to allow ntlm+basic auth?

Okay I'm back online;

I've used explicit with LDAP ( AD ) and it quite simple  to enable and to use  in  filezilla, cyberduck, and ff or other applications that uses  FTP-PROXies. Other options are ftp-over-web-proxy or SOCKs v4/5 compatible proxies that latte I never achieved  authentication correctly but the FGT as demoe b4 will work as a SOCKs proxy for WEB  FTP TELNET etc....

For   FortiOS enable the explict-ftp,  and you can define  accept-action for deny and set  identity-based-policies.

e.g

config system interface     edit "NETLAN01"         set vdom "root"         set ip 192.198.11.1 255.255.255.0         set allowaccess ping https ssh         set type physical         set explicit-ftp-proxy enable

        # this would be the interface(s) that you expect users

end

config ftp-proxy explicit     set status enable     set incoming-port 21     set incoming-ip 0.0.0.0     unset outgoing-ip     set sec-default-action deny end

and finally a policy ;

config firewall explicit-proxy-policy     edit 1         set proxy ftp         set dstintf "wan1"         set srcaddr "CLASSROOMWEST         set dstaddr "all"         set action accept         set identity-based enable             config identity-based-policy                 edit 1                     set schedule "always"                     set users "Msjones" "terry" "jacue" "Basi"                 next                 edit 2                     set schedule "CLASS_HOURS"                     set groups "STUDENTSGRP1"  "STUDENTSGRP2" "STUDENTSGRP3" "STUDENTSGRP4"

                              next             end     next end

Thats about all that it takes ;)

On filezila you need to configure the proxy settings in a custom mode ( i found that work to work best )

See screen shot, naybe i will post this on line. Keep  in mind various clients don't own sys-proxy settings on Windows-version and even Macosx.

>

I.e CYBERDUCK always ignore my  proxy-settings

>

use curl  for dianostic

>

or a simple ftp 

i.e

ftp  proxyusername:proxyuserapassword:siteusername:password@sitename    <fgt_proxyaddress>

>

if you  think authentication is the issue.

thanks for your help

 sftp cant be used on this way i think and ftps, too. So only a solution for plain ftp Connections or do i miss something?

I never tried  SFTP or FTP-SSL, but give it a try. I can test FTP-SSL since my day job we have  FTP-SSL applications. Again try and find out.

SOCKS works for the most part but probably not what you really want if you need authentications. Protocol based ( FTP WEB ) seems to be the normal nowadays.

I 'll post on my  FTP_SSL attempt here shortly.

Ken

No go  ftpes using  the following failed when go thru  a explicit ftp-proxy

http://test.rebex.net/

user demo

password   password

The site does work, so we know it's not the site ;)

I hope that helps

Ken Felix