Fortigate allow outbound FTP over TLS

XavierMP · ‎10-11-2021

Hi, I want to allow FTP clients in my LAN to connect to FTP servers outside over TLS. The server is listening in port 21 but after the initial communication client and server must communicate in a high port, but it seems the Fortigate doesn't open those ports. If I allow all the outbound ports the transfer works.

I have tried with this guide with no luck: https://kb.fortinet.com/kb/documentLink.do?externalID=FD52155

I think I am not doing well configuring the deep inspection

Any help?

Thank you

abarushka · ‎04-19-2022

Hello,

I would like to ask whether inspection mode is set to proxy or flow?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Allow-explicit-FTPS-connection-over-VIP/ta...

FortiGate

esalija · ‎04-16-2023

Explicit FTPS is hence only supported with a combination of proxy-based inspection, IPS and deep inspection.

# config firewall policy
    edit 3
        set name "FTP"
        set uuid fdb707ba-cfa3-51eb-1be1-c632b14d101c
        set srcintf "port3"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "FTP"
        set action accept
        set schedule "always"
        set service "FTP" "FTP_GET" "FTP_PUT"
        set utm-status enable
        set inspection-mode proxy           <-----
        set ssl-ssh-profile "FTP-scan" <-----
   set ips-sensor "default" <-----
        set logtraffic all
    next
end

Fortigate allow outbound FTP over TLS

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website