Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
XavierMP
New Contributor

Fortigate allow outbound FTP over TLS

Hi, I want to allow FTP clients in my LAN to connect to FTP servers outside over TLS. The server is listening in port 21 but after the initial communication client and server must communicate in a high port, but it seems the Fortigate doesn't open those ports. If I allow all the outbound ports the transfer works.

I have tried with this guide with no luck: https://kb.fortinet.com/kb/documentLink.do?externalID=FD52155

I think I am not doing well configuring the deep inspection

Any help?

Thank you

2 REPLIES 2
abarushka
Staff
Staff

Hello,

I would like to ask whether inspection mode is set to proxy or flow?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Allow-explicit-FTPS-connection-over-VIP/ta...

FortiGate
esalija
Staff
Staff

Explicit FTPS is hence only supported with a combination of proxy-based inspection, IPS and deep inspection.

 

# config firewall policy
    edit 3
        set name "FTP"
        set uuid fdb707ba-cfa3-51eb-1be1-c632b14d101c
        set srcintf "port3"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "FTP"
        set action accept
        set schedule "always"
        set service "FTP" "FTP_GET" "FTP_PUT"
        set utm-status enable
        set inspection-mode proxy           <-----
        set ssl-ssh-profile "FTP-scan"      <-----
             set ips-sensor "default"       <-----
        set logtraffic all
    next
end

Labels
Top Kudoed Authors