Fortinet black logo

Handbook

Configuration

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:694645
Download PDF

Configuration

You can use the following general steps to configure the explicit FTP proxy.

To enable the explicit FTP proxy - GUI:
  1. Go to Network > Explicit Proxy > Explicit FTP Proxy Options. Select Enable Explicit FTP Proxy to turn on the explicit FTP proxy.
  2. Select Apply.

    The Default Firewall Policy Action is set to Deny and requires you to add a explicit FTP proxy policy to allow access to the explicit FTP proxy. This configuration is recommended and is a best practice because you can use policies to control access to the explicit FTP proxy and also apply security features and authentication.

  3. Go to Network > Interfaces and select one or more interfaces for which to enable the explicit web proxy. Edit the interface and select Enable Explicit FTP Proxy.

    caution icon Enabling the explicit FTP proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you enable the proxy on such an interface make sure authentication is required to use the proxy.
  4. Go to Policy & Objects > Proxy Policyand select Create New and set the Explicit Proxy Type to FTP.

    You can add multiple explicit FTP proxy policies.

  5. Configure the policy as required to accept the traffic that you want to be processed by the explicit FTP proxy.

    The source address of the policy should match client source IP addresses. The firewall address selected as the source address cannot be assigned to a FortiGate interface. The Interface field of the firewall address must be blank or it must be set to Any.

    The destination address of the policy should match the IP addresses of FTP servers that clients are connecting to. The destination address could be all to allow connections to any FTP server.

    If Default Firewall Policy Action is set to Deny, traffic sent to the explicit FTP proxy that is not accepted by an explicit FTP proxy policy is dropped. If Default Firewall Policy Action is set to Allow then all FTP proxy sessions that don’t match a policy are allowed.

    For example the following explicit FTP proxy policy allows users on an internal network to access FTP servers on the Internet through the wan1 interface of a FortiGate unit.

    Explicit Proxy Type FTP
    Source Address Internal_subnet
    Outgoing Interface wan1
    Destination Address all
    Schedule always
    Action ACCEPT

    The following explicit FTP proxy policy requires users on an internal network to authenticate with the FortiGate unit before accessing FTP servers on the Internet through the wan1 interface.

    Explicit Proxy TypeFTP
    Source AddressInternal_subnet
    Outgoing Interfacewan1
    Destination Addressall
    ActionAUTHENTICATE
  6. Select Create New to add an Authentication Rule and configure the rule as follows:

    Groups Proxy-Group
    Source Users (optional)
    Schedule always
  7. Add security profiles as required and select OK.
  8. You can add multiple authentication rules to apply different authentication for different user groups and users and also apply different security profiles and logging settings for different users.
  9. Select OK.
To enable the explicit FTP proxy - CLI:
  1. Enter the following command to turn on the explicit FTP proxy. This command also changes the explicit FTP proxy port to 2121.

    config ftp-proxy explicit

    set status enable

    set incoming-port 2121

    end

    The default explicit FTP proxy configuration has sec-default-action set to deny and requires you to add a security policy to allow access to the explicit FTP proxy.

  2. Enter the following command to enable the explicit FTP proxy for the internal interface.

    config system interface

    edit internal

    set explicit-ftp-proxy enable

    end

  3. Use the following command to add a firewall address that matches the source address of users who connect to the explicit FTP proxy.

    config firewall address

    edit Internal_subnet

    set type iprange

    set start-ip 10.31.101.1

    set end-ip 10.31.101.255

    end

    The source address for a ftp-proxy security policy cannot be assigned to a FortiGate unit interface.

  4. Use the following command to add an explicit FTP proxy policy that allows all users on the internal subnet to use the explicit FTP proxy for connections through the wan1 interface to the Internet.

    config firewall proxy-policy

    edit 0

    set proxy ftp

    set dstintf wan1

    set srcaddr Internal_subnet

    set dstaddr all

    set action accept

    set schedule always

    end

  5. Use the following command to add an explicit FTP proxy policy that allows authenticated users on the internal subnet to use the explicit FTP proxy for connections through the wan1 interface to the Internet.

    config firewall proxy-policy

    edit 0

    set proxy ftp

    set dstintf wan1

    set srcaddr Internal_subnet

    set dstaddr Fortinet-web-sites

    set action accept

    set schedule always

    set groups <User group>

    end

Configuration

You can use the following general steps to configure the explicit FTP proxy.

To enable the explicit FTP proxy - GUI:
  1. Go to Network > Explicit Proxy > Explicit FTP Proxy Options. Select Enable Explicit FTP Proxy to turn on the explicit FTP proxy.
  2. Select Apply.

    The Default Firewall Policy Action is set to Deny and requires you to add a explicit FTP proxy policy to allow access to the explicit FTP proxy. This configuration is recommended and is a best practice because you can use policies to control access to the explicit FTP proxy and also apply security features and authentication.

  3. Go to Network > Interfaces and select one or more interfaces for which to enable the explicit web proxy. Edit the interface and select Enable Explicit FTP Proxy.

    caution icon Enabling the explicit FTP proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you enable the proxy on such an interface make sure authentication is required to use the proxy.
  4. Go to Policy & Objects > Proxy Policyand select Create New and set the Explicit Proxy Type to FTP.

    You can add multiple explicit FTP proxy policies.

  5. Configure the policy as required to accept the traffic that you want to be processed by the explicit FTP proxy.

    The source address of the policy should match client source IP addresses. The firewall address selected as the source address cannot be assigned to a FortiGate interface. The Interface field of the firewall address must be blank or it must be set to Any.

    The destination address of the policy should match the IP addresses of FTP servers that clients are connecting to. The destination address could be all to allow connections to any FTP server.

    If Default Firewall Policy Action is set to Deny, traffic sent to the explicit FTP proxy that is not accepted by an explicit FTP proxy policy is dropped. If Default Firewall Policy Action is set to Allow then all FTP proxy sessions that don’t match a policy are allowed.

    For example the following explicit FTP proxy policy allows users on an internal network to access FTP servers on the Internet through the wan1 interface of a FortiGate unit.

    Explicit Proxy Type FTP
    Source Address Internal_subnet
    Outgoing Interface wan1
    Destination Address all
    Schedule always
    Action ACCEPT

    The following explicit FTP proxy policy requires users on an internal network to authenticate with the FortiGate unit before accessing FTP servers on the Internet through the wan1 interface.

    Explicit Proxy TypeFTP
    Source AddressInternal_subnet
    Outgoing Interfacewan1
    Destination Addressall
    ActionAUTHENTICATE
  6. Select Create New to add an Authentication Rule and configure the rule as follows:

    Groups Proxy-Group
    Source Users (optional)
    Schedule always
  7. Add security profiles as required and select OK.
  8. You can add multiple authentication rules to apply different authentication for different user groups and users and also apply different security profiles and logging settings for different users.
  9. Select OK.
To enable the explicit FTP proxy - CLI:
  1. Enter the following command to turn on the explicit FTP proxy. This command also changes the explicit FTP proxy port to 2121.

    config ftp-proxy explicit

    set status enable

    set incoming-port 2121

    end

    The default explicit FTP proxy configuration has sec-default-action set to deny and requires you to add a security policy to allow access to the explicit FTP proxy.

  2. Enter the following command to enable the explicit FTP proxy for the internal interface.

    config system interface

    edit internal

    set explicit-ftp-proxy enable

    end

  3. Use the following command to add a firewall address that matches the source address of users who connect to the explicit FTP proxy.

    config firewall address

    edit Internal_subnet

    set type iprange

    set start-ip 10.31.101.1

    set end-ip 10.31.101.255

    end

    The source address for a ftp-proxy security policy cannot be assigned to a FortiGate unit interface.

  4. Use the following command to add an explicit FTP proxy policy that allows all users on the internal subnet to use the explicit FTP proxy for connections through the wan1 interface to the Internet.

    config firewall proxy-policy

    edit 0

    set proxy ftp

    set dstintf wan1

    set srcaddr Internal_subnet

    set dstaddr all

    set action accept

    set schedule always

    end

  5. Use the following command to add an explicit FTP proxy policy that allows authenticated users on the internal subnet to use the explicit FTP proxy for connections through the wan1 interface to the Internet.

    config firewall proxy-policy

    edit 0

    set proxy ftp

    set dstintf wan1

    set srcaddr Internal_subnet

    set dstaddr Fortinet-web-sites

    set action accept

    set schedule always

    set groups <User group>

    end