Changing the FTP mode from active to passive for explicit proxy
|
This information is also available in the FortiOS 7.4 Administration Guide: |
An explicit FTP proxy can convert an active FTP connection initiated by an FTP client to a passive FTP connection between the explicit FTP proxy and FTP server.
config ftp-proxy explicit
set server-data-mode {client | passive}
end
|
server-data-mode {client | passive} |
Set the data selection mode on the FTP server side:
|
Example
In this example, a client that only supports active mode FTP connects to a remote FTP server through the explicit FTP proxy to download a text file (test1.txt). The explicit FTP proxy converts the active FTP connection to a passive connection between the explicit FTP proxy and the FTP server.
To configure passive mode for FTP server data sessions:
-
Configure the web proxy:
config ftp-proxy explicit set status enable set incoming-port 21 set server-data-mode passive end -
Enable the explicit FTP proxy on port1:
config system interface edit "port1" set ip 10.1.100.2 255.255.255.0 set explicit-ftp-proxy enable next end -
Configure the firewall policy:
config firewall proxy-policy edit 1 set proxy ftp set dstintf "port3" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" next end -
Get the client to download the text file from the FTP server (NcFTP is used in this example):
ncftpget -E -r 0 -d stdout -u pc4user1@172.16.200.44 -p 123456 10.1.100.2 ./ /home/pc4user1/test1.txt ... Cmd: PORT 10,1,100,11,151,115 200: PORT command successful. Consider using PASV. Cmd: RETR /home/pc4user1/test1.txt
-
In the FTP server logs, verify that the explicit FTP proxy converted the active FTP connection to a passive connection:
... 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching PRE_CMD command 'PASV' to mod_exec 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching PRE_CMD command 'PASV' to mod_rewrite 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching PRE_CMD command 'PASV' to mod_tls 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching PRE_CMD command 'PASV' to mod_core 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching PRE_CMD command 'PASV' to mod_core 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching CMD command 'PASV' to mod_core 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): in dir_check_full(): path = '/home/pc4user1', fullpath = '/home/pc4user1' 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): Entering Passive Mode (172,16,200,44,175,61). 2023-01-28 01:56:39,910 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching POST_CMD command 'PASV' to mod_exec 2023-01-28 01:56:39,910 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching LOG_CMD command 'PASV' to mod_log 2023-01-28 01:56:39,911 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching PRE_CMD command 'RETR /home/pc4user1/test1.txt' to mod_exec