Fortinet white logo
Fortinet white logo

Handbook

6.0.0

Example

Example

This example describes how to configure the explicit FTP proxy for the example network shown below. In this example, users on the internal network connect to the explicit FTP proxy through the Internal interface with IP address 10.31.101.100. The explicit web proxy is configured to use port 2121 so to connect to an FTP server on the Internet users must first connect to the explicit FTP proxy using IP address 10.31.101.100 and port 2121.

Example explicit FTP proxy network topology

In this example, explicit FTP proxy users must authenticate with a RADIUS server before getting access to the proxy. To apply authentication, the security policy that accepts explicit FTP proxy traffic includes an identity based policy that applies per session authentication to explicit FTP proxy users and includes a user group with the RADIUS server in it. The identity based policy also applies UTM virus scanning and DLP.

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

  1. Enable the explicit FTP proxy and change the FTP port to 2121.
  2. Enable the explicit FTP proxy on the internal interface.
  3. Add a RADIUS server and user group for the explicit FTP proxy.
  4. Add a user identity security policy for the explicit FTP proxy.
  5. Enable antivirus and DLP features for the identity-based policy.

Configuring the explicit FTP proxy - GUI

Use the following steps to configure the explicit FTP proxy from FortiGate GUI.

To enable and configure the explicit FTP proxy
  1. Go to Network > Explicit Proxy > Explicit FTP Proxy Options and change the following settings:

    Enable Explicit FTP Proxy Select.
    Listen on Interface No change. This field will eventually show that the explicit web proxy is enabled for the Internal interface.
    FTP Port 2121
    Default Firewall Policy Action Deny
  2. Select Apply.
To enable the explicit FTP proxy on the Internal interface
  1. Go to Network > Interfaces, edit the Internal interface and select Enable Explicit FTP Proxy.
To add a RADIUS server and user group for the explicit FTP proxy
  1. Go to User & Device > RADIUS Servers.
  2. Select Create New to add a new RADIUS server:

    Name RADIUS_1
    Primary Server Name/IP 10.31.101.200
    Primary Server Secret RADIUS_server_secret
  3. Go to User > User > User Groups and select Create New.

    Name Explict_proxy_user_group
    Type Firewall
    Remote groups RADIUS_1
    Group Name ANY
  4. Select OK.
To add a security policy for the explicit FTP proxy
  1. Go to Policy & Objects > Addresses and select Create New.
  2. Add a firewall address for the internal network:

    Address Name Internal_subnet
    Type Subnet
    Subnet / IP Range 10.31.101.0
    Interface Any
  3. Go to Policy & Objects > Proxy Policyand select Create New.
  4. Configure the explicit FTP proxy security policy.

    Explicit Proxy Type FTP
    Source Address Internal_subnet
    Outgoing Interface wan1
    Destination Address all
    Action AUTHENTICATE
  5. Under Configure Authentication Rules select Create New to add an authentication rule:

    Groups Explicit_policy
    Users Leave blank
    Schedule always
  6. Turn on Antivirus and Web Filter and select the default profiles for both.
  7. Select the default proxy options profile.
  8. Select OK.
  9. Make sure Enable IP Based Authentication is not selected and DefaultAuthentication Method is set to Basic.
  10. Select OK.

Configuring the explicit FTP proxy - CLI

Use the following steps to configure the example explicit web proxy configuration from the CLI.

To enable and configure the explicit FTP proxy

Enter the following command to enable the explicit FTP proxy and set the TCP port that proxy accepts FTP connections on to 2121.

config ftp-proxy explicit

set status enable

set incoming-port 2121

set sec-default-action deny

end

To enable the explicit FTP proxy on the Internal interface
  1. Enter the following command to enable the explicit FTP proxy on the internal interface.

    config system interface

    edit internal

    set explicit-ftp-proxy enable

    next

    end

To add a RADIUS server and user group for the explicit FTP proxy
  1. Enter the following command to add a RADIUS server:

    config user radius

    edit RADIUS_1

    set server 10.31.101.200

    set secret RADIUS_server_secret

    next

    end

  2. Enter the following command to add a user group for the RADIUS server.

    config user group

    edit Explicit_proxy_user_group

    set group-type firewall

    set member RADIUS_1

    next

    end

To add a security policy for the explicit FTP proxy
  1. Enter the following command to add a firewall address for the internal subnet:

    config firewall address

    edit Internal_subnet

    set type iprange

    set start-ip 10.31.101.1

    set end-ip 10.31.101.255

    next

    end

  2. Enter the following command to add the explicit FTP proxy security policy:

    config firewall proxy-policy

    edit 0

    set proxy ftp

    set dstintf wan1

    set srcaddr Internal_subnet

    set dstaddr all

    set action accept

    set identity-based enable

    set ipbased disable

    set groups <User group>

    next

    end

Testing and troubleshooting the configuration

You can use the following steps to verify that the explicit FTP proxy configuration is working as expected. These steps use a command line FTP client.

To test the explicit web proxy configuration
  1. From a system on the internal network start an FTP client and enter the following command to connect to the FTP proxy:

    ftp 10.31.101.100

    The explicit FTP proxy should respond with a message similar to the following:

    Connected to 10.31.101.100.

    220 Welcome to Floodgate FTP proxy

    Name (10.31.101.100:user):

  2. At the prompt enter a valid username and password for the RADIUS server followed by a user name for an FTP server on the Internet and the address of the FTP server. For example, if a valid username and password on the RADIUS server is ex_name and ex_pass and you attempt to connect to an FTP server at ftp.example.com with user name s_name, enter the following at the prompt:

    Name (10.31.101.100:user):ex_name:ex_pass:s_name@ftp.example.com

  3. You should be prompted for the password for the account on the FTP server.
  4. Enter the password and you should be able to connect to the FTP server.
  5. Attempt to explore the FTP server file system and download or upload files.
  6. To test UTM functionality, attempt to upload or download an ECAR test file. Or upload or download a text file containing text that would be matched by the DLP sensor.

    For eicar test files, go to http://eicar.org.

Example

Example

This example describes how to configure the explicit FTP proxy for the example network shown below. In this example, users on the internal network connect to the explicit FTP proxy through the Internal interface with IP address 10.31.101.100. The explicit web proxy is configured to use port 2121 so to connect to an FTP server on the Internet users must first connect to the explicit FTP proxy using IP address 10.31.101.100 and port 2121.

Example explicit FTP proxy network topology

In this example, explicit FTP proxy users must authenticate with a RADIUS server before getting access to the proxy. To apply authentication, the security policy that accepts explicit FTP proxy traffic includes an identity based policy that applies per session authentication to explicit FTP proxy users and includes a user group with the RADIUS server in it. The identity based policy also applies UTM virus scanning and DLP.

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

  1. Enable the explicit FTP proxy and change the FTP port to 2121.
  2. Enable the explicit FTP proxy on the internal interface.
  3. Add a RADIUS server and user group for the explicit FTP proxy.
  4. Add a user identity security policy for the explicit FTP proxy.
  5. Enable antivirus and DLP features for the identity-based policy.

Configuring the explicit FTP proxy - GUI

Use the following steps to configure the explicit FTP proxy from FortiGate GUI.

To enable and configure the explicit FTP proxy
  1. Go to Network > Explicit Proxy > Explicit FTP Proxy Options and change the following settings:

    Enable Explicit FTP Proxy Select.
    Listen on Interface No change. This field will eventually show that the explicit web proxy is enabled for the Internal interface.
    FTP Port 2121
    Default Firewall Policy Action Deny
  2. Select Apply.
To enable the explicit FTP proxy on the Internal interface
  1. Go to Network > Interfaces, edit the Internal interface and select Enable Explicit FTP Proxy.
To add a RADIUS server and user group for the explicit FTP proxy
  1. Go to User & Device > RADIUS Servers.
  2. Select Create New to add a new RADIUS server:

    Name RADIUS_1
    Primary Server Name/IP 10.31.101.200
    Primary Server Secret RADIUS_server_secret
  3. Go to User > User > User Groups and select Create New.

    Name Explict_proxy_user_group
    Type Firewall
    Remote groups RADIUS_1
    Group Name ANY
  4. Select OK.
To add a security policy for the explicit FTP proxy
  1. Go to Policy & Objects > Addresses and select Create New.
  2. Add a firewall address for the internal network:

    Address Name Internal_subnet
    Type Subnet
    Subnet / IP Range 10.31.101.0
    Interface Any
  3. Go to Policy & Objects > Proxy Policyand select Create New.
  4. Configure the explicit FTP proxy security policy.

    Explicit Proxy Type FTP
    Source Address Internal_subnet
    Outgoing Interface wan1
    Destination Address all
    Action AUTHENTICATE
  5. Under Configure Authentication Rules select Create New to add an authentication rule:

    Groups Explicit_policy
    Users Leave blank
    Schedule always
  6. Turn on Antivirus and Web Filter and select the default profiles for both.
  7. Select the default proxy options profile.
  8. Select OK.
  9. Make sure Enable IP Based Authentication is not selected and DefaultAuthentication Method is set to Basic.
  10. Select OK.

Configuring the explicit FTP proxy - CLI

Use the following steps to configure the example explicit web proxy configuration from the CLI.

To enable and configure the explicit FTP proxy

Enter the following command to enable the explicit FTP proxy and set the TCP port that proxy accepts FTP connections on to 2121.

config ftp-proxy explicit

set status enable

set incoming-port 2121

set sec-default-action deny

end

To enable the explicit FTP proxy on the Internal interface
  1. Enter the following command to enable the explicit FTP proxy on the internal interface.

    config system interface

    edit internal

    set explicit-ftp-proxy enable

    next

    end

To add a RADIUS server and user group for the explicit FTP proxy
  1. Enter the following command to add a RADIUS server:

    config user radius

    edit RADIUS_1

    set server 10.31.101.200

    set secret RADIUS_server_secret

    next

    end

  2. Enter the following command to add a user group for the RADIUS server.

    config user group

    edit Explicit_proxy_user_group

    set group-type firewall

    set member RADIUS_1

    next

    end

To add a security policy for the explicit FTP proxy
  1. Enter the following command to add a firewall address for the internal subnet:

    config firewall address

    edit Internal_subnet

    set type iprange

    set start-ip 10.31.101.1

    set end-ip 10.31.101.255

    next

    end

  2. Enter the following command to add the explicit FTP proxy security policy:

    config firewall proxy-policy

    edit 0

    set proxy ftp

    set dstintf wan1

    set srcaddr Internal_subnet

    set dstaddr all

    set action accept

    set identity-based enable

    set ipbased disable

    set groups <User group>

    next

    end

Testing and troubleshooting the configuration

You can use the following steps to verify that the explicit FTP proxy configuration is working as expected. These steps use a command line FTP client.

To test the explicit web proxy configuration
  1. From a system on the internal network start an FTP client and enter the following command to connect to the FTP proxy:

    ftp 10.31.101.100

    The explicit FTP proxy should respond with a message similar to the following:

    Connected to 10.31.101.100.

    220 Welcome to Floodgate FTP proxy

    Name (10.31.101.100:user):

  2. At the prompt enter a valid username and password for the RADIUS server followed by a user name for an FTP server on the Internet and the address of the FTP server. For example, if a valid username and password on the RADIUS server is ex_name and ex_pass and you attempt to connect to an FTP server at ftp.example.com with user name s_name, enter the following at the prompt:

    Name (10.31.101.100:user):ex_name:ex_pass:s_name@ftp.example.com

  3. You should be prompted for the password for the account on the FTP server.
  4. Enter the password and you should be able to connect to the FTP server.
  5. Attempt to explore the FTP server file system and download or upload files.
  6. To test UTM functionality, attempt to upload or download an ECAR test file. Or upload or download a text file containing text that would be matched by the DLP sensor.

    For eicar test files, go to http://eicar.org.