Fortinet black logo

CLI Reference

Home FortiGate / FortiOS 6.0.0 CLI Reference

ftp-proxy explicit

6.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.0.0
5.6.0
5.4.0
5.2.0
5.0.0
Copy Link
Copy Doc ID c287b6bf-a995-11e9-81a4-00505692583a:848199
Download PDF

ftp-proxy explicit

Use this command to enable the explicit FTP proxy, and configure the TCP port used by the explicit FTP proxy.

config ftp-proxy explicit
    set status {enable | disable}   Enable/disable the explicit FTP proxy.
    set incoming-port {string}   Accept incoming FTP requests on one or more ports.
    set incoming-ip {ipv4 address any}   Accept incoming FTP requests from this IP address. An interface must have this IP address.
    set outgoing-ip {ipv4 address any}   Outgoing FTP requests will leave from this IP address. An interface must have this IP address.
    set sec-default-action {accept | deny}   Accept or deny explicit FTP proxy sessions when no FTP proxy firewall policy exists.
            accept  Accept requests. All explicit FTP proxy traffic is accepted whether there is an explicit FTP proxy policy or not
            deny    Deny requests unless there is a matching explicit FTP proxy policy.
end

Additional information

The following section is for those options that require additional explanation.

status

Enable/disable the explicit FTP proxy for FTP sessions.

incoming-port

Enter the port number that traffic from FTP clients use to connect to the explicit FTP proxy. The range is 0 to 65535. Explicit FTP proxy users must configure their FTP client proxy settings to use this port.

Default value: 21

incoming-ip

Enter the IP address of a FortiGate unit interface that should accept sessions for the explicit FTP proxy. Use this command to restrict the explicit FTP proxy to only accepting sessions from one FortiGate interface.

The destination IP address of explicit FTP proxy sessions should match this IP address.

This field is visible in NAT mode only.

outgoing-ip

Enter the IP address of a FortiGate unit interface that explicit FTP proxy sessions should exit the FortiGate unit from. Use this command to restrict the explicit FTP proxy to only allowing sessions to exit from one FortiGate interface.

This IP address becomes the source address of FTP proxy sessions exiting the FortiGate unit.

This field is visible in NAT mode only.

sec-default-action

Configure the explicit FTP proxy to block (deny) or accept sessions if firewall policies have not been added for the explicit FTP proxy. To add firewall policies for the explicit FTP proxy add a firewall policy and set the source interface to ftp-proxy.

The default setting denies access to the explicit FTP proxy before adding a firewall policy. If you set this option to accept the explicit FTP proxy server accepts sessions even if you haven’t added an ftp-proxy firewall policy.

Previous
Next

ftp-proxy explicit

Use this command to enable the explicit FTP proxy, and configure the TCP port used by the explicit FTP proxy.

config ftp-proxy explicit
    set status {enable | disable}   Enable/disable the explicit FTP proxy.
    set incoming-port {string}   Accept incoming FTP requests on one or more ports.
    set incoming-ip {ipv4 address any}   Accept incoming FTP requests from this IP address. An interface must have this IP address.
    set outgoing-ip {ipv4 address any}   Outgoing FTP requests will leave from this IP address. An interface must have this IP address.
    set sec-default-action {accept | deny}   Accept or deny explicit FTP proxy sessions when no FTP proxy firewall policy exists.
            accept  Accept requests. All explicit FTP proxy traffic is accepted whether there is an explicit FTP proxy policy or not
            deny    Deny requests unless there is a matching explicit FTP proxy policy.
end

Additional information

The following section is for those options that require additional explanation.

status

Enable/disable the explicit FTP proxy for FTP sessions.

incoming-port

Enter the port number that traffic from FTP clients use to connect to the explicit FTP proxy. The range is 0 to 65535. Explicit FTP proxy users must configure their FTP client proxy settings to use this port.

Default value: 21

incoming-ip

Enter the IP address of a FortiGate unit interface that should accept sessions for the explicit FTP proxy. Use this command to restrict the explicit FTP proxy to only accepting sessions from one FortiGate interface.

The destination IP address of explicit FTP proxy sessions should match this IP address.

This field is visible in NAT mode only.

outgoing-ip

Enter the IP address of a FortiGate unit interface that explicit FTP proxy sessions should exit the FortiGate unit from. Use this command to restrict the explicit FTP proxy to only allowing sessions to exit from one FortiGate interface.

This IP address becomes the source address of FTP proxy sessions exiting the FortiGate unit.

This field is visible in NAT mode only.

sec-default-action

Configure the explicit FTP proxy to block (deny) or accept sessions if firewall policies have not been added for the explicit FTP proxy. To add firewall policies for the explicit FTP proxy add a firewall policy and set the source interface to ftp-proxy.

The default setting denies access to the explicit FTP proxy before adding a firewall policy. If you set this option to accept the explicit FTP proxy server accepts sessions even if you haven’t added an ftp-proxy firewall policy.

Previous
Next