Fortinet white logo
Fortinet white logo

Administration Guide

FTP Proxy

FTP Proxy

You can enable the explicit FTP proxy on one or more FortiProxy interfaces. The explicit web and FTP proxies can be operating at the same time on the same or on different FortiProxy interfaces.

note icon Enabling the explicit FTP proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address.

To configure the explicit FTP proxy, go to Proxy Settings > FTP Proxy.

Configure the following settings and then click Apply:

Status Select Enable to make the explicit FTP proxy active.
Incoming IP Enter the incoming IP address.
Outgoing IP Enter the outgoing IP address.
Default Firewall Policy Action If Default Firewall Policy Action is set to Deny, traffic sent to the explicit FTP proxy that is not accepted by an explicit FTP proxy policy is dropped. If Default Firewall Policy Action is set to Allow, all FTP proxy sessions that do not match a policy are allowed.
Incoming Port Enter the range of incoming port numbers. Click + to add another range.
API Preview The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.
To use the API Preview:
  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown for the CMDB API that creates the explicit proxy configuration.
  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
  4. Click Close to leave the preview.

FTPS handling

When explicit-ftp-tls is enabled in the FTP protocol options, FTP control sessions are proxied to enforce deep inspection so that the proxy can understand FTP control commands after STARTTLS and open a pinhole for FTP data sessions regardless of FTPS deep inspection and/or UTM status.

config firewall profile-protocol-options
    edit "test"
        config ftp
            set ports 21
            set status enable
            set explicit-ftp-tls {disable | enable}
        end
    next
end

When deep inspection is enabled, transparent policy FTP is always redirected.

FTP Proxy

FTP Proxy

You can enable the explicit FTP proxy on one or more FortiProxy interfaces. The explicit web and FTP proxies can be operating at the same time on the same or on different FortiProxy interfaces.

note icon Enabling the explicit FTP proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address.

To configure the explicit FTP proxy, go to Proxy Settings > FTP Proxy.

Configure the following settings and then click Apply:

Status Select Enable to make the explicit FTP proxy active.
Incoming IP Enter the incoming IP address.
Outgoing IP Enter the outgoing IP address.
Default Firewall Policy Action If Default Firewall Policy Action is set to Deny, traffic sent to the explicit FTP proxy that is not accepted by an explicit FTP proxy policy is dropped. If Default Firewall Policy Action is set to Allow, all FTP proxy sessions that do not match a policy are allowed.
Incoming Port Enter the range of incoming port numbers. Click + to add another range.
API Preview The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.
To use the API Preview:
  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown for the CMDB API that creates the explicit proxy configuration.
  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
  4. Click Close to leave the preview.

FTPS handling

When explicit-ftp-tls is enabled in the FTP protocol options, FTP control sessions are proxied to enforce deep inspection so that the proxy can understand FTP control commands after STARTTLS and open a pinhole for FTP data sessions regardless of FTPS deep inspection and/or UTM status.

config firewall profile-protocol-options
    edit "test"
        config ftp
            set ports 21
            set status enable
            set explicit-ftp-tls {disable | enable}
        end
    next
end

When deep inspection is enabled, transparent policy FTP is always redirected.