Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 6.3.10 Administration Guide
    6.3.10
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Creating an FTP server policy

    Creating an FTP server policy

    If your server(s) handle FTP traffic, create an FTP server policy to govern acceptable types of requests to your server(s) by combining rules, profiles, and sub-policies.

    FTP server policies can carry out the following tasks:

    • Block or allow connections
    • Route or forward traffic to destination web servers
    • Apply security profiles to specify allowed requests and clients

    Until you configure an FTP server policy, FortiWeb will deny all FTP traffic.

    Do not create server policies that you're not planning to use. FortiWeb allocates memory to every server policy, even server policies that are disabled. Configuring server policies that you don't plan to use will consume memory and may decrease performance.

    Before creating an FTP server policy

    Before you begin creating a server policy, you should configure the features and options that you plan to include in the server policy. It's possible to create rules and profiles for things that you plan to include in a server policy while creating it, but you may miss important information and cannot clone or modify any predefined rules and profiles when creating a server policy. For details, see Workflow.

    Below are the features and options that you should configure before creating a server policy:

    To create an FTP server policy
    tooltip icon

    If FTP security isn't enabled in Feature Visibility, you must enable it before you can create an FTP server policy. To enable FTP security, go to System > Config > Feature Visibility and enable FTP Security.
    1. Go to Policy > Server Policy.

      2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

    2. Click Create New. From the drop-down menu, select Create FTP Policy.
    3. Configure these settings:

      4. Policy Name

      Enter a name that can be referenced by other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.

      Deployment Mode

      Ensure that Single Server/Server Pool is selected. This is the only option available.

      Virtual Server

      Select a virtual server that you created. The virtual server identifies the IP address and network interface of incoming traffic that FortiWeb routes and that the policy applies a profile to.

      If you haven't created a virtual server yet, see Configuring virtual servers on your FortiWeb for instructions about creating one.

      Server Pool

      Select the servers(s) that receive requests that match the policy. If you haven't created a server pool yet, see Creating an FTP server pool for instructions about creating one.

      Caution: Multiple servers/policies can forward traffic to the same server pool. If you configure this, consider the total maximum load of connections that all virtual servers forward to the server pool. This configuration can multiply traffic forwarded to the server pool, which can overload the server pool and cause dropped connections.

      Syn Cookie

      Enable to prevent TCP SYN floods. If you enable this option, also configure Half Open Threshold.

      For details, see Preventing a TCP SYN flood.

      Half Open Threshold

      Enter the TCP SYN cookie threshold in packets per second.

      This option is available only when Syn Cookie is enabled.

      Service

      Select the custom or predefined service that specifies the TCP port number where the virtual server receives FTP traffic.

      If you don't create or select a custom service, select between the following predefined services:

      • FTPFortiWeb will communicate with clients and servers using FTP. Select this option if your servers will handle SSL negotiation, encryption, and decryption.
      • FTPSFortiWeb will communicate with clients using FTPS. When this option is selected, FortiWeb will handle SSL negotiation, encryption, and decryption; this is called SSL offloading. Connections between clients and FortiWeb will be encrypted.

        • Note: The Server Pool configuration specifies whether connections between FortiWeb and the server(s) are encrypted. Specifying FTPS for the Service handles connections only between clients and FortiWeb.

        Caution: If you don't select FTPS and provide a certificate for FTPS connections, FortiWeb can't decrypt connections and scan content.

        Tip: FortiWeb appliances contain specialized hardware to accelerate SSL processing. Offloading SSL/TLS processing to FortiWeb can improve the performance of FTPS connections.

      SSL

      Enable so that connections between clients and FortiWeb use SSL/TLS. Enabling SSL will allow you to configure additional SSL options and settings, including specifying supported SSL protocols and uploading certificates.

      By default, when you enable SSL, FortiWeb will communicate with clients using explicit SSL. You can enable Implicit SSL below so that FortiWeb will communicate with clients using implicit SSL.

      Implicit SSL

      Enable so that FortiWeb will communicate with clients using implicit SSL.

      Certificate

      Select the server certificate that FortiWeb will use to encrypt and decrypt SSL-secured connections. If you haven't uploaded a certificate yet, see Uploading a server certificate for instructions about uploading one.

      This option is available only if you enable SSL.

      Certificate Intermediate Group

      Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb will present to clients. An intermediate CA can complete the signing chain and validate the server certificate's CA signature. If you haven't created a group yet, see Supplementing a server certificate with its signing chain for instructions about creating one.

      Alternatively, you can include the entire signing chain in the server certificate before you upload it to FortiWeb. For details, see Supplementing a server certificate with its signing chain.

      This option is available only if you enable SSL.
      Advanced SSL Settings

      Configure additional SSL settings, including supported SSL protocols and encryption levels.

      These options are available only if you enable SSL.

      Supported SSL Protocols

      Specify which versions of the TLS cryptographic protocols clients can use to connect securely to FortiWeb or your server(s). For details about which protocols to enable, see Supported cipher suites & protocol versions.

      This option is available only if you enable SSL.

      SSL/TLS Encryption Level

      Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or customized security configuration.

      If you specify Customized, you can select ciphers and use the arrow keys to move ciphers to the appropriate list.

      For details about cipher suites, see Supported cipher suites & protocol versions.

      This option is available only if you enable SSL.

      Disable Client-Initiated SSL Renegotiation

      Enable so that FortiWeb will ignore requests from clients to renegotiate SSL/TLS. If enabled, this option protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to burden the server(s).

      This option is available only if you enable SSL.

      FTP Security Profile

      Specify the FTP security profile to apply to connections that this policy monitors. If you haven't created a profile yet, see Configuring an FTP security inline profile for instructions about creating one.

      Monitor Mode

      Enable to override any enforcement actions in the FTP Security Profile, including actions that are included in sub-profiles and rules. Instead, FortiWeb will accept all requests and generate an alert email and/or log message for all policy violations.

      Comments

      Optionally, enter a description or comment for the policy. The description can be up to 999 characters in length.
    4. Click OK.

      5. When you create a server policy, by default, the policy is enabled. The server policy is displayed at Policy > Server Policy.

      Legitimate FTP traffic should now be able to flow, and FortiWeb will respond to policy-violating traffic with the enforcement actions specified in the server policy.

    5. To verify the server policy, test it by forming connections between legitimate clients and servers at various points within your network topology. Also attempt to send traffic that violates a rule in the server policy to confirm that FortiWeb responds appropriately.

    Enabling or disabling a policy

    You can enable and disable server policies that you've created.

    Disabling an FTP server policy could block all FTP traffic if no remaining active server policies match the traffic. When no policies exist or none are enabled, the FortiWeb appliance blocks all FTP/FTPS traffic.

    Even if you disable a server policy, it still consumes memory. If you don't plan to use the policy for some time, consider deleting it instead.

    To enable or disable a policy
    1. Go to Policy > Server Policy.
    2. In the row corresponding to the policy that you want to enable, click the switch on in the Enable column.
    3. In the row corresponding to the policy that you want to disable, click the switch off in the Enable column.
    Previous
    Next

    Creating an FTP server policy

    Creating an FTP server policy

    If your server(s) handle FTP traffic, create an FTP server policy to govern acceptable types of requests to your server(s) by combining rules, profiles, and sub-policies.

    FTP server policies can carry out the following tasks:

    • Block or allow connections
    • Route or forward traffic to destination web servers
    • Apply security profiles to specify allowed requests and clients

    Until you configure an FTP server policy, FortiWeb will deny all FTP traffic.

    Do not create server policies that you're not planning to use. FortiWeb allocates memory to every server policy, even server policies that are disabled. Configuring server policies that you don't plan to use will consume memory and may decrease performance.

    Before creating an FTP server policy

    Before you begin creating a server policy, you should configure the features and options that you plan to include in the server policy. It's possible to create rules and profiles for things that you plan to include in a server policy while creating it, but you may miss important information and cannot clone or modify any predefined rules and profiles when creating a server policy. For details, see Workflow.

    Below are the features and options that you should configure before creating a server policy:

    To create an FTP server policy
    tooltip icon

    If FTP security isn't enabled in Feature Visibility, you must enable it before you can create an FTP server policy. To enable FTP security, go to System > Config > Feature Visibility and enable FTP Security.
    1. Go to Policy > Server Policy.

      2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

    2. Click Create New. From the drop-down menu, select Create FTP Policy.
    3. Configure these settings:

      4. Policy Name

      Enter a name that can be referenced by other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.

      Deployment Mode

      Ensure that Single Server/Server Pool is selected. This is the only option available.

      Virtual Server

      Select a virtual server that you created. The virtual server identifies the IP address and network interface of incoming traffic that FortiWeb routes and that the policy applies a profile to.

      If you haven't created a virtual server yet, see Configuring virtual servers on your FortiWeb for instructions about creating one.

      Server Pool

      Select the servers(s) that receive requests that match the policy. If you haven't created a server pool yet, see Creating an FTP server pool for instructions about creating one.

      Caution: Multiple servers/policies can forward traffic to the same server pool. If you configure this, consider the total maximum load of connections that all virtual servers forward to the server pool. This configuration can multiply traffic forwarded to the server pool, which can overload the server pool and cause dropped connections.

      Syn Cookie

      Enable to prevent TCP SYN floods. If you enable this option, also configure Half Open Threshold.

      For details, see Preventing a TCP SYN flood.

      Half Open Threshold

      Enter the TCP SYN cookie threshold in packets per second.

      This option is available only when Syn Cookie is enabled.

      Service

      Select the custom or predefined service that specifies the TCP port number where the virtual server receives FTP traffic.

      If you don't create or select a custom service, select between the following predefined services:

      • FTPFortiWeb will communicate with clients and servers using FTP. Select this option if your servers will handle SSL negotiation, encryption, and decryption.
      • FTPSFortiWeb will communicate with clients using FTPS. When this option is selected, FortiWeb will handle SSL negotiation, encryption, and decryption; this is called SSL offloading. Connections between clients and FortiWeb will be encrypted.

        • Note: The Server Pool configuration specifies whether connections between FortiWeb and the server(s) are encrypted. Specifying FTPS for the Service handles connections only between clients and FortiWeb.

        Caution: If you don't select FTPS and provide a certificate for FTPS connections, FortiWeb can't decrypt connections and scan content.

        Tip: FortiWeb appliances contain specialized hardware to accelerate SSL processing. Offloading SSL/TLS processing to FortiWeb can improve the performance of FTPS connections.

      SSL

      Enable so that connections between clients and FortiWeb use SSL/TLS. Enabling SSL will allow you to configure additional SSL options and settings, including specifying supported SSL protocols and uploading certificates.

      By default, when you enable SSL, FortiWeb will communicate with clients using explicit SSL. You can enable Implicit SSL below so that FortiWeb will communicate with clients using implicit SSL.

      Implicit SSL

      Enable so that FortiWeb will communicate with clients using implicit SSL.

      Certificate

      Select the server certificate that FortiWeb will use to encrypt and decrypt SSL-secured connections. If you haven't uploaded a certificate yet, see Uploading a server certificate for instructions about uploading one.

      This option is available only if you enable SSL.

      Certificate Intermediate Group

      Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb will present to clients. An intermediate CA can complete the signing chain and validate the server certificate's CA signature. If you haven't created a group yet, see Supplementing a server certificate with its signing chain for instructions about creating one.

      Alternatively, you can include the entire signing chain in the server certificate before you upload it to FortiWeb. For details, see Supplementing a server certificate with its signing chain.

      This option is available only if you enable SSL.
      Advanced SSL Settings

      Configure additional SSL settings, including supported SSL protocols and encryption levels.

      These options are available only if you enable SSL.

      Supported SSL Protocols

      Specify which versions of the TLS cryptographic protocols clients can use to connect securely to FortiWeb or your server(s). For details about which protocols to enable, see Supported cipher suites & protocol versions.

      This option is available only if you enable SSL.

      SSL/TLS Encryption Level

      Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or customized security configuration.

      If you specify Customized, you can select ciphers and use the arrow keys to move ciphers to the appropriate list.

      For details about cipher suites, see Supported cipher suites & protocol versions.

      This option is available only if you enable SSL.

      Disable Client-Initiated SSL Renegotiation

      Enable so that FortiWeb will ignore requests from clients to renegotiate SSL/TLS. If enabled, this option protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to burden the server(s).

      This option is available only if you enable SSL.

      FTP Security Profile

      Specify the FTP security profile to apply to connections that this policy monitors. If you haven't created a profile yet, see Configuring an FTP security inline profile for instructions about creating one.

      Monitor Mode

      Enable to override any enforcement actions in the FTP Security Profile, including actions that are included in sub-profiles and rules. Instead, FortiWeb will accept all requests and generate an alert email and/or log message for all policy violations.

      Comments

      Optionally, enter a description or comment for the policy. The description can be up to 999 characters in length.
    4. Click OK.

      5. When you create a server policy, by default, the policy is enabled. The server policy is displayed at Policy > Server Policy.

      Legitimate FTP traffic should now be able to flow, and FortiWeb will respond to policy-violating traffic with the enforcement actions specified in the server policy.

    5. To verify the server policy, test it by forming connections between legitimate clients and servers at various points within your network topology. Also attempt to send traffic that violates a rule in the server policy to confirm that FortiWeb responds appropriately.

    Enabling or disabling a policy

    You can enable and disable server policies that you've created.

    Disabling an FTP server policy could block all FTP traffic if no remaining active server policies match the traffic. When no policies exist or none are enabled, the FortiWeb appliance blocks all FTP/FTPS traffic.

    Even if you disable a server policy, it still consumes memory. If you don't plan to use the policy for some time, consider deleting it instead.

    To enable or disable a policy
    1. Go to Policy > Server Policy.
    2. In the row corresponding to the policy that you want to enable, click the switch on in the Enable column.
    3. In the row corresponding to the policy that you want to disable, click the switch off in the Enable column.
    Previous
    Next