Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sandeep_FTNT
Staff
Staff

Created on ‎11-14-2019 12:02 AM Edited on ‎01-30-2024 07:34 AM By Moderator

Article Id 196423

Technical Tip: Configure and troubleshoot an FTP proxy

Description

 

This article describes how to configure and troubleshoot an FTP proxy on FortiGate.

 

Scope

 

FortiGate.

Solution

 

The FortiGate FTP explicit feature enables explicit FTP proxying of IPv4 and IPV6 traffic on one or more FortiGate interfaces.
To access ftp services, users on a network must configure their ftp application to use the explicit proxy and set the proxy server address to the IP address of the FortiGate interface that has explicit proxy enabled.

 

From the GUI:

 

  • Go to System -> Feature visibility and make sure Explicit Proxy is enabled.
  • Go to Network -> Interface -> explicit proxy and enable Explicit FTP proxy.


Then select the interface in which FortiGate needs to listen for ftp proxy, select desired port number.

 
From CLI:
 
config ftp-proxy explicit
    set status enable
    set incoming-port 8021
end
 
On the listening interface, make sure the explicit proxy is enabled.
 
config system interface
    edit "port10"
        set vdom "root"
        set ip 10.120.0.61 255.255.252.0
        set allowaccess ping https ssh http
        set type physical
        set explicit-ftp-proxy enable
        set sbnmp-index 12
    next
end
 
Configure proxy policy to the WAN interface and enable proxy service as FTP.
 
config firewall proxy-policy
    edit 1
        set uuid dl8ec384-b98f-51e9-31de-dl0439a57987
        set proxy ftp
        set dstfintf "port9"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
    next
 
Configuration from the FTP client:
 

Logs from the FTP client.
 
STATUS>    Connecting to 'speedtest.tele2.net' on port 21 through proxy "10.120.0.61" on port 8021.
STATUS>    Connecting to '10.120.0.61' on port 8021.
STATUS>    Connected to '10.120.0.61' on port 8021 from 10.120.0.174:50658.
 

COMMAND:

 

  • USER: anonymous@speedtest.tele2.net.
  • Provide password information according to the following format: [[proxy-passwd:[proxy-token:]]remote_passwd.   
     

Note that if a proxy-user is used as part of the user-name, provide a proxy-passwd as part of the password.
Furthermore, proxy-token can only be provided in the password if proxy-user has been provided.

COMMAND:

PASS  ****
Login successful.
STATUS:    Login successful.

CLI debug on Fortigate:

 

diagnose wad debug enable level info

diagnose wad debug enable category ftp

diagnose debug enable

 

When using FTP Over HTTP, the configuration must be as follows:

 

config ftp-proxy explicit
    set status enable
    set incoming-port 8021

    set ftp-over-http enable <- This option must be enabled.

    set http-incoming-port 8021
    set https-incoming-port 8021
    set ftp-incoming-port 8021

 

config system interface
    edit "port10"
        set vdom "root"
        set ip 10.120.0.61 255.255.252.0
        set allowaccess ping https ssh http
        set type physical
        set explicit-ftp-proxy enable

        set explicit-web-proxy enable
        set sbnmp-index 12

7332
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.