This article describes how to setup a policy to allow traffic to use FTP over TLS.
When trying to connect to an FTP server using TLS two options are available: explicit or implicit.
An explicit connection in active mode will allow to connect to a FTP server using the regular port 21 for the control channel and the server will initiate a connection back to the client using port 20 as source. \
The connection starts, initially, in plain text but once the SSL certificates are negotiated the connection is then encrypted.
In passive mode, it is the client who initiates both control and data channel.
The control channel is still negotiated over port 21 but the data channel is negotiated within a specific range between the server and the client and already over an encrypted channel.
For an implicit connection the process is similar but with a major difference, the connection is encrypted right from the start using port 990 (with port 989 used as server source for the data channel in active mode).
But regardless of the method used one thing is for sure, the communication will be at some point encrypted and the firewall in between, needs to be aware of which ports are being used for the data-channel in order to allow traffic, so it needs to be able to inspect it.
Session helpers are used in protocols such as FTP or SIP due to the multiple connections that have to be established to complete the flow of information.
It helps FortiGate to open the necessary ports for the extra sessions to be able establish the communication.
However, when using FTP over TLS, the firewall cannot check the port for the data-channel and as a consequence the traffic will not be allowed.
That is why, it is necessary to enable SSL inspection so traffic can be inspected and the ports revealed to the session helpers.
The following screenshot shows a typical plain text FTP connection where the authentication takes place and even the username and password in plain text:
FG100E-7 (root) # diagnose sys session listBut any session for the data channel as the traffic is not being inspected therefore FortiGate does not know which ports are being used.
session info: proto=6 proto_state=01 duration=88 expire=3511 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu f00
statistic(bytes/packets/allow_err): org=92/2/1 reply=52/1/1 tuples=2
tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=11->7/7->11 gwy=10.109.51.153/10.245.3.211
hook=post dir=org act=snat 10.245.3.211:30969->10.109.51.153:990(10.109.48.248:30969)
hook=pre dir=reply act=dnat 10.109.51.153:990->10.109.48.248:30969(10.245.3.211:30969)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=0005c800 tos=ff/ff app_list=0 app=0 url_cat=0
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=66/70, ipid=70/66, vlan=0x0000/0x0000
vlifid=70/66, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=0/2
total session 1