Description
This article describes how to configure and troubleshoot an FTP proxy on FortiGate.
Scope
FortiGate.
Solution
The FortiGate FTP explicit feature enables explicit FTP proxying of IPv4 and IPV6 traffic on one or more FortiGate interfaces.
To access ftp services, users on a network must configure their ftp application to use the explicit proxy and set the proxy server address to the IP address of the FortiGate interface that has explicit proxy enabled.
From the GUI:
- Go to System -> Feature visibility and make sure Explicit Proxy is enabled.
- Go to Network -> Interface -> explicit proxy and enable Explicit FTP proxy.
Then select the interface in which FortiGate needs to listen for FTP proxy, and select the desired port number.
From CLI:
config ftp-proxy explicit
set status enable
set incoming-port 8021
set status enable
set incoming-port 8021
set ssl enable <-- Allows FortiGate connections to Encrypted Explicit Mode FTP Server.
set ssl-cert "Fortinet_Factory"
set ssl-dh-bits 2048
set ssl-algorithm high
end
set ssl-cert "Fortinet_Factory"
set ssl-dh-bits 2048
set ssl-algorithm high
end
On the listening interface, make sure the explicit proxy is enabled.
config system interface
edit "port10"
set vdom "root"
set ip 10.120.0.61 255.255.252.0
set allowaccess ping https ssh http
set type physical
set explicit-ftp-proxy enable
set sbnmp-index 12
next
edit "port10"
set vdom "root"
set ip 10.120.0.61 255.255.252.0
set allowaccess ping https ssh http
set type physical
set explicit-ftp-proxy enable
set sbnmp-index 12
next
end
Configure proxy policy to the WAN interface and enable proxy service as FTP.
config firewall proxy-policy
edit 1
set uuid dl8ec384-b98f-51e9-31de-dl0439a57987
set proxy ftp
set dstfintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set ssl-ssh-profile "deep-inspection" <-- Allows FortiGate connections to Encrypted Explicit Mode FTP Server.
next
edit 1
set uuid dl8ec384-b98f-51e9-31de-dl0439a57987
set proxy ftp
set dstfintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set ssl-ssh-profile "deep-inspection" <-- Allows FortiGate connections to Encrypted Explicit Mode FTP Server.
next
Note: If SSL is not enabled on 'ftp-proxy explicit' settings in combination with 'deep-inspection' on the firewall proxy-policy, FortiGate would be able to connect only to Plain-Text FTP Servers. Enabling SSL and deep-inspection allows FortiGate to connect to Encrypted Explicit Mode FTP Servers on Port 21.
Related documentation: FTP proxy.
Related documentation: FTP proxy.
Configuration from the FTP client:
Logs from the FTP client.
STATUS> Connecting to 'speedtest.tele2.net' on port 21 through proxy "10.120.0.61" on port 8021.
STATUS> Connecting to '10.120.0.61' on port 8021.
STATUS> Connected to '10.120.0.61' on port 8021 from 10.120.0.174:50658.
STATUS> Connecting to '10.120.0.61' on port 8021.
STATUS> Connected to '10.120.0.61' on port 8021 from 10.120.0.174:50658.
COMMAND:
- USER: anonymous@speedtest.tele2.net.
- Provide password information according to the following format: [[proxy-passwd:[proxy-token:]]remote_passwd.
Note that if a proxy-user is used as part of the user name, provide a proxy-passwd as part of the password.
Furthermore, proxy-token can only be provided in the password if proxy-user has been provided.
Command:
PASS ****
Login successful.
STATUS: Login successful.
CLI debug on FortiGate:
diagnose wad debug enable level info
diagnose wad debug enable category ftp
diagnose debug enable
When using FTP Over HTTP, the configuration must be as follows:
config ftp-proxy explicit
set status enable
set incoming-port 8021
set ftp-over-http enable <- This option must be enabled.
set http-incoming-port 8021
set https-incoming-port 8021
set ftp-incoming-port 8021
config system interface
edit "port10"
set vdom "root"
set ip 10.120.0.61 255.255.252.0
set allowaccess ping https ssh http
set type physical
set explicit-ftp-proxy enable
set explicit-web-proxy enable
set sbnmp-index 12
