FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Article Id 189531
Description
This article describes how to allow explicit FTPS connection over VIP.

Diagram.



Solution
- Explicit FTPS is a method that allows clients to request the server to create a data connection using SSL/TLS.
Since the connection is encrypted, FTPS is not supported by the FTP session helper and hence does not open the necessary pinhole.
Likewise, flow mode of inspection does not support FTPS as IPS engine cannot read the encrypted payload.


- Explicit FTPS is hence only supported with a combination of proxy based inspection and deep inspection.
WAD process can read the encrypted payload and create the 'expectation session' for the incoming data connection.


Configuration and verification.

VIP.
# config firewall vip
    edit "FTP"
        set uuid e568911a-cfa3-51eb-1d37-84ff97dd0765
        set extip 10.230.4.72
        set mappedip "10.220.3.202"
        set extintf "any"
        set portforward enable
        set extport 21
        set mappedport 21
    next
end
Policy.
# config firewall policy
    edit 3
        set name "FTP"
        set uuid fdb707ba-cfa3-51eb-1be1-c632b14d101c
        set srcintf "port3"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "FTP"
        set action accept
        set schedule "always"
        set service "FTP" "FTP_GET" "FTP_PUT"
        set utm-status enable
        set inspection-mode proxy           <-----
        set ssl-ssh-profile "FTP-scan"
        set av-profile "default"
        set webfilter-profile "default"
        set ips-sensor "default"
        set logtraffic all
    next
end
SSL inspection profile.
# config firewall ssl-ssh-profile
    edit "FTP-scan"
        # config https
            set ports 443
            set status deep-inspection
            set expired-server-cert allow
            set revoked-server-cert allow
            set cert-validation-failure allow
            set sni-server-cert-check disable
        end
        ...
        config ftps
            set ports 990
            set status deep-inspection       <-----
            set expired-server-cert allow
            set revoked-server-cert allow
            set cert-validation-failure allow
        end
        .
        .
        set block-blocklisted-certificates disable
        set ssl-anomalies-log disable
    next
Wad debugs indicating creation of pinhole session.
removed command PASV from cmd queue.
2021-07-26 21:42:05.094380 [p:508][s:40738626] wad_ftp_exec_state(3954): received event REPLY in state NORMAL
2021-07-26 21:42:05.094442 [p:508][s:40738626] wad_ftp_pasv_reply_handler(1180): offer_ip=10.220.3.202 offer_port=50756
2021-07-26 21:42:05.094643 [p:508][s:40738626] wad_ftp_tp_ses_exp_free(168): fts=0x7f52db54a9c8, exp=(nil)
2021-07-26 21:42:05.094663 [p:508][s:40738626] wad_exp_tcp_in_find(190): proto=6 vd=0 ->10.220.3.202:50756 exp_tcp_in=(nil)
2021-07-26 21:42:05.094862 [p:508][s:40738626] wad_exp_tcp_in_open(228): bound to proto=6 dest=10.220.3.202:50756 vd=0 fd=83 local=0 tin(0x7f52dca666d0)
Control session tuple: 10.230.4.86:60919 -> 10.230.4.72:21 vf 0 vrf 0
Expect session tuple: 10.230.4.86:0 -> 10.230.4.72:50756(10.220.3.202:50756) vf 0 vrf 0
                     dir 0  act 2  hook 0 state 0 ops 0  skip 0

redirect: TCP 10.230.4.86:0 -> 10.230.4.72:50756 DNAT 10.220.3.202:50756
2021-07-26 21:42:05.095216 [p:508][s:40738626] wad_ftp_exec_state(3980): transitioned from state NORMAL to state NORMAL
2021-07-26 21:42:05.095224 [p:508][s:40738626] __wad_ftp_session_proc_reply(706): forwarded reply to client: ftp cmd=PASV, reply code=227
2021-07-26 21:42:05.095232 [p:508][s:40738626] wad_ips_port_out_read_br(262): ips_conn=0x7f52dcaf9a90, len=48
Flow debugs.
2021-07-26 21:41:53 id=20085 trace_id=138132 func=print_pkt_detail line=5723 msg="vd-root:0 received a packet(proto=6, 10.230.4.86:60919->10.230.4.72:21) from port3. flag [S], seq 1747348908, ack 0, win 64240"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=init_ip_session_common line=5894 msg="allocate a new session-026d9f42"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=fw_pre_route_handler line=184 msg="VIP-10.220.3.202:21, outdev-port3"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=__ip_session_run_tuple line=3503 msg="DNAT 10.230.4.72:21->10.220.3.202:21"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=vf_ip_route_input_common line=2621 msg="find a route: flag=04000000 gw-10.220.3.202 via port2"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=fw_forward_handler line=819 msg="Allowed by Policy-3: AV"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=ids_receive line=298 msg="send to ips"
2021-07-26 21:41:53 id=20085 trace_id=138132 func=av_receive line=314 msg="send to application layer"
.
.
2021-07-26 21:42:05 id=20085 trace_id=138192 func=print_pkt_detail line=5723 msg="vd-root:0 received a packet(proto=6, 10.230.4.86:60921->10.230.4.72:50756) from port3. flag [S], seq 3571380554, ack 0, win 64240"
2021-07-26 21:42:05 id=20085 trace_id=138192 func=resolve_ip_tuple_fast line=5819 msg="Find an EXP session, id-026d9f42."
2021-07-26 21:42:05 id=20085 trace_id=138192 func=__ip_session_run_tuple line=3503 msg="DNAT 10.230.4.72:50756->10.220.3.202:50756"
Sniffer.
2021-07-26 19:41:53.694768 port3 in 10.230.4.86.60919 -> 10.230.4.72.21: syn 1747348908                   <----- Control. connection                                                                                                                                                
2021-07-26 19:41:53.700869 port3 out 10.230.4.72.21 -> 10.230.4.86.60919: syn 1095480473 ack 1747348909                                                                                                                                                             95480473 ack 1747348909
2021-07-26 19:41:53.702645 port3 in 10.230.4.86.60919 -> 10.230.4.72.21: ack 1095480474                                                                                                                                                             5480474
2021-07-26 19:41:53.782756 port2 out 10.230.4.86.60919 -> 10.220.3.202.21: syn 1560759456
2021-07-26 19:41:53.788120 port2 in 10.220.3.202.21 -> 10.230.4.86.60919: syn 2105481383 ack 1560759457                                                                                                                                                            05481383 ack 1560759457
2021-07-26 19:41:53.788290 port2 out 10.230.4.86.60919 -> 10.220.3.202.21: ack 2105481384
.
.
2021-07-26 19:42:05.235631 port3 in 10.230.4.86.60921 -> 10.230.4.72.50756: syn 3571380554                <----- Data connection.
2021-07-26 19:42:05.290253 port3 out 10.230.4.72.50756 -> 10.230.4.86.60921: syn 4276598741 ack 3571380555
2021-07-26 19:42:05.291111 port3 in 10.230.4.86.60921 -> 10.230.4.72.50756: ack 4276598742
2021-07-26 19:42:05.302010 port2 out 10.230.4.86.60921 -> 10.220.3.202.50756: syn 3496112363                                                                                                                                                         n 3496112363
2021-07-26 19:42:05.307813 port2 in 10.220.3.202.50756 -> 10.230.4.86.60921: syn 3328349616 ack 3496112364                                                                                                                                                         3328349616 ack 3496112364
2021-07-26 19:42:05.307866 port2 out 10.230.4.86.60921 -> 10.220.3.202.50756: ack 3328349617

Contributors