Fortinet black logo

Administration Guide

Creating an FTP server policy

Creating an FTP server policy

If your server(s) handle FTP traffic, create an FTP server policy to govern acceptable types of requests to your server(s) by combining rules, profiles, and sub-policies.

FTP server policies can carry out the following tasks:

  • Block or allow connections
  • Route or forward traffic to destination web servers
  • Apply security profiles to specify allowed requests and clients

Until you configure an FTP server policy, FortiWeb will deny all FTP traffic.

Do not create server policies that you're not planning to use. FortiWeb allocates memory to every server policy, even server policies that are disabled. Configuring server policies that you don't plan to use will consume memory and may decrease performance.

Before creating an FTP server policy

Before you begin creating a server policy, you should configure the features and options that you plan to include in the server policy. It's possible to create rules and profiles for things that you plan to include in a server policy while creating it, but you may miss important information and cannot clone or modify any predefined rules and profiles when creating a server policy. For details, see Workflow.

Below are the features and options that you should configure before creating a server policy:

To create an FTP server policy
tooltip icon

If FTP security isn't enabled in Feature Visibility, you must enable it before you can create an FTP server policy. To enable FTP security, go to System > Config > Feature Visibility and enable FTP Security.

  1. Go to Policy > Server Policy.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

  3. Click Create New. From the drop-down menu, select Create FTP Policy.
  4. Configure these settings:
  5. Policy Name

    Enter a name that can be referenced by other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.

    Deployment Mode

    Ensure that Single Server/Server Pool is selected. This is the only option available.

    Virtual Server

    Select a virtual server that you created. The virtual server identifies the IP address and network interface of incoming traffic that FortiWeb routes and that the policy applies a profile to.

    If you haven't created a virtual server yet, see Configuring virtual servers on your FortiWeb for instructions about creating one.

    Server Pool

    Select the servers(s) that receive requests that match the policy. If you haven't created a server pool yet, see Creating an FTP server pool for instructions about creating one.

    Caution: Multiple servers/policies can forward traffic to the same server pool. If you configure this, consider the total maximum load of connections that all virtual servers forward to the server pool. This configuration can multiply traffic forwarded to the server pool, which can overload the server pool and cause dropped connections.

    Syn Cookie

    Enable to prevent TCP SYN floods. If you enable this option, also configure Half Open Threshold.

    For details, see Preventing a TCP SYN flood.

    Half Open Threshold

    Enter the TCP SYN cookie threshold in packets per second.

    This option is available only when Syn Cookie is enabled.

    Service

    Select the custom or predefined service that specifies the TCP port number where the virtual server receives FTP traffic.

    If you don't create or select a custom service, select between the following predefined services:

    • FTPFortiWeb will communicate with clients and servers using FTP. Select this option if your servers will handle SSL negotiation, encryption, and decryption.
    • FTPSFortiWeb will communicate with clients using FTPS. When this option is selected, FortiWeb will handle SSL negotiation, encryption, and decryption; this is called SSL offloading. Connections between clients and FortiWeb will be encrypted.
    • Note: The Server Pool configuration specifies whether connections between FortiWeb and the server(s) are encrypted. Specifying FTPS for the Service handles connections only between clients and FortiWeb.

      Caution: If you don't select FTPS and provide a certificate for FTPS connections, FortiWeb can't decrypt connections and scan content.

      Tip: FortiWeb appliances contain specialized hardware to accelerate SSL processing. Offloading SSL/TLS processing to FortiWeb can improve the performance of FTPS connections.

    SSL

    Enable so that connections between clients and FortiWeb use SSL/TLS. Enabling SSL will allow you to configure additional SSL options and settings, including specifying supported SSL protocols and uploading certificates.

    By default, when you enable SSL, FortiWeb will communicate with clients using explicit SSL. You can enable Implicit SSL below so that FortiWeb will communicate with clients using implicit SSL.

    Implicit SSL

    Enable so that FortiWeb will communicate with clients using implicit SSL.

    Certificate

    Select the server certificate that FortiWeb will use to encrypt and decrypt SSL-secured connections. If you haven't uploaded a certificate yet, see How to offload or inspect HTTPS for instructions about uploading one.

    This option is available only if you enable SSL.

    Certificate Intermediate Group

    Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb will present to clients. An intermediate CA can complete the signing chain and validate the server certificate's CA signature. If you haven't created a group yet, see How to offload or inspect HTTPS for instructions about creating one.

    Alternatively, you can include the entire signing chain in the server certificate before you upload it to FortiWeb. For details, see How to offload or inspect HTTPS.

    This option is available only if you enable SSL.

    Advanced SSL Settings

    Configure additional SSL settings, including supported SSL protocols and encryption levels.

    These options are available only if you enable SSL.

    Supported SSL Protocols

    Specify which versions of the TLS cryptographic protocols clients can use to connect securely to FortiWeb or your server(s). For details about which protocols to enable, see Supported cipher suites & protocol versions.

    This option is available only if you enable SSL.

    SSL/TLS Encryption Level

    Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or customized security configuration.

    If you specify Customized, you can select ciphers and use the arrow keys to move ciphers to the appropriate list.

    For details about cipher suites, see Supported cipher suites & protocol versions.

    This option is available only if you enable SSL.

    Disable Client-Initiated SSL Renegotiation

    Enable so that FortiWeb will ignore requests from clients to renegotiate SSL/TLS. If enabled, this option protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to burden the server(s).

    This option is available only if you enable SSL.

    FTP Security Profile

    Specify the FTP security profile to apply to connections that this policy monitors. If you haven't created a profile yet, see Configuring an FTP security inline profile for instructions about creating one.

    Monitor Mode

    Enable to override any enforcement actions in the FTP Security Profile, including actions that are included in sub-profiles and rules. Instead, FortiWeb will accept all requests and generate an alert email and/or log message for all policy violations.

    Comments

    Optionally, enter a description or comment for the policy. The description can be up to 999 characters in length.

  6. Click OK.
  7. When you create a server policy, by default, the policy is enabled. The server policy is displayed at Policy > Server Policy.

    Legitimate FTP traffic should now be able to flow, and FortiWeb will respond to policy-violating traffic with the enforcement actions specified in the server policy.

  8. To verify the server policy, test it by forming connections between legitimate clients and servers at various points within your network topology. Also attempt to send traffic that violates a rule in the server policy to confirm that FortiWeb responds appropriately.

Enabling or disabling a policy

You can enable and disable server policies that you've created.

Disabling an FTP server policy could block all FTP traffic if no remaining active server policies match the traffic. When no policies exist or none are enabled, the FortiWeb appliance blocks all FTP/FTPS traffic.

Even if you disable a server policy, it still consumes memory. If you don't plan to use the policy for some time, consider deleting it instead.

To enable or disable a policy
  1. Go to Policy > Server Policy.
  2. In the row corresponding to the policy that you want to enable, click the switch on in the Enable column.
  3. In the row corresponding to the policy that you want to disable, click the switch off in the Enable column.

Creating an FTP server policy

If your server(s) handle FTP traffic, create an FTP server policy to govern acceptable types of requests to your server(s) by combining rules, profiles, and sub-policies.

FTP server policies can carry out the following tasks:

  • Block or allow connections
  • Route or forward traffic to destination web servers
  • Apply security profiles to specify allowed requests and clients

Until you configure an FTP server policy, FortiWeb will deny all FTP traffic.

Do not create server policies that you're not planning to use. FortiWeb allocates memory to every server policy, even server policies that are disabled. Configuring server policies that you don't plan to use will consume memory and may decrease performance.

Before creating an FTP server policy

Before you begin creating a server policy, you should configure the features and options that you plan to include in the server policy. It's possible to create rules and profiles for things that you plan to include in a server policy while creating it, but you may miss important information and cannot clone or modify any predefined rules and profiles when creating a server policy. For details, see Workflow.

Below are the features and options that you should configure before creating a server policy:

To create an FTP server policy
tooltip icon

If FTP security isn't enabled in Feature Visibility, you must enable it before you can create an FTP server policy. To enable FTP security, go to System > Config > Feature Visibility and enable FTP Security.

  1. Go to Policy > Server Policy.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

  3. Click Create New. From the drop-down menu, select Create FTP Policy.
  4. Configure these settings:
  5. Policy Name

    Enter a name that can be referenced by other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.

    Deployment Mode

    Ensure that Single Server/Server Pool is selected. This is the only option available.

    Virtual Server

    Select a virtual server that you created. The virtual server identifies the IP address and network interface of incoming traffic that FortiWeb routes and that the policy applies a profile to.

    If you haven't created a virtual server yet, see Configuring virtual servers on your FortiWeb for instructions about creating one.

    Server Pool

    Select the servers(s) that receive requests that match the policy. If you haven't created a server pool yet, see Creating an FTP server pool for instructions about creating one.

    Caution: Multiple servers/policies can forward traffic to the same server pool. If you configure this, consider the total maximum load of connections that all virtual servers forward to the server pool. This configuration can multiply traffic forwarded to the server pool, which can overload the server pool and cause dropped connections.

    Syn Cookie

    Enable to prevent TCP SYN floods. If you enable this option, also configure Half Open Threshold.

    For details, see Preventing a TCP SYN flood.

    Half Open Threshold

    Enter the TCP SYN cookie threshold in packets per second.

    This option is available only when Syn Cookie is enabled.

    Service

    Select the custom or predefined service that specifies the TCP port number where the virtual server receives FTP traffic.

    If you don't create or select a custom service, select between the following predefined services:

    • FTPFortiWeb will communicate with clients and servers using FTP. Select this option if your servers will handle SSL negotiation, encryption, and decryption.
    • FTPSFortiWeb will communicate with clients using FTPS. When this option is selected, FortiWeb will handle SSL negotiation, encryption, and decryption; this is called SSL offloading. Connections between clients and FortiWeb will be encrypted.
    • Note: The Server Pool configuration specifies whether connections between FortiWeb and the server(s) are encrypted. Specifying FTPS for the Service handles connections only between clients and FortiWeb.

      Caution: If you don't select FTPS and provide a certificate for FTPS connections, FortiWeb can't decrypt connections and scan content.

      Tip: FortiWeb appliances contain specialized hardware to accelerate SSL processing. Offloading SSL/TLS processing to FortiWeb can improve the performance of FTPS connections.

    SSL

    Enable so that connections between clients and FortiWeb use SSL/TLS. Enabling SSL will allow you to configure additional SSL options and settings, including specifying supported SSL protocols and uploading certificates.

    By default, when you enable SSL, FortiWeb will communicate with clients using explicit SSL. You can enable Implicit SSL below so that FortiWeb will communicate with clients using implicit SSL.

    Implicit SSL

    Enable so that FortiWeb will communicate with clients using implicit SSL.

    Certificate

    Select the server certificate that FortiWeb will use to encrypt and decrypt SSL-secured connections. If you haven't uploaded a certificate yet, see How to offload or inspect HTTPS for instructions about uploading one.

    This option is available only if you enable SSL.

    Certificate Intermediate Group

    Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb will present to clients. An intermediate CA can complete the signing chain and validate the server certificate's CA signature. If you haven't created a group yet, see How to offload or inspect HTTPS for instructions about creating one.

    Alternatively, you can include the entire signing chain in the server certificate before you upload it to FortiWeb. For details, see How to offload or inspect HTTPS.

    This option is available only if you enable SSL.

    Advanced SSL Settings

    Configure additional SSL settings, including supported SSL protocols and encryption levels.

    These options are available only if you enable SSL.

    Supported SSL Protocols

    Specify which versions of the TLS cryptographic protocols clients can use to connect securely to FortiWeb or your server(s). For details about which protocols to enable, see Supported cipher suites & protocol versions.

    This option is available only if you enable SSL.

    SSL/TLS Encryption Level

    Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or customized security configuration.

    If you specify Customized, you can select ciphers and use the arrow keys to move ciphers to the appropriate list.

    For details about cipher suites, see Supported cipher suites & protocol versions.

    This option is available only if you enable SSL.

    Disable Client-Initiated SSL Renegotiation

    Enable so that FortiWeb will ignore requests from clients to renegotiate SSL/TLS. If enabled, this option protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to burden the server(s).

    This option is available only if you enable SSL.

    FTP Security Profile

    Specify the FTP security profile to apply to connections that this policy monitors. If you haven't created a profile yet, see Configuring an FTP security inline profile for instructions about creating one.

    Monitor Mode

    Enable to override any enforcement actions in the FTP Security Profile, including actions that are included in sub-profiles and rules. Instead, FortiWeb will accept all requests and generate an alert email and/or log message for all policy violations.

    Comments

    Optionally, enter a description or comment for the policy. The description can be up to 999 characters in length.

  6. Click OK.
  7. When you create a server policy, by default, the policy is enabled. The server policy is displayed at Policy > Server Policy.

    Legitimate FTP traffic should now be able to flow, and FortiWeb will respond to policy-violating traffic with the enforcement actions specified in the server policy.

  8. To verify the server policy, test it by forming connections between legitimate clients and servers at various points within your network topology. Also attempt to send traffic that violates a rule in the server policy to confirm that FortiWeb responds appropriately.

Enabling or disabling a policy

You can enable and disable server policies that you've created.

Disabling an FTP server policy could block all FTP traffic if no remaining active server policies match the traffic. When no policies exist or none are enabled, the FortiWeb appliance blocks all FTP/FTPS traffic.

Even if you disable a server policy, it still consumes memory. If you don't plan to use the policy for some time, consider deleting it instead.

To enable or disable a policy
  1. Go to Policy > Server Policy.
  2. In the row corresponding to the policy that you want to enable, click the switch on in the Enable column.
  3. In the row corresponding to the policy that you want to disable, click the switch off in the Enable column.