FTP proxy
FTP proxies can be configured on the FortiGate so that FTP traffic can be proxied. When the FortiGate is configured as an FTP proxy, FTP client applications should be configured to send FTP requests to the FortiGate.
To configure explicit FTP proxy in the GUI:
-
Enable and configure explicit FTP proxy:
-
Go to Network > Explicit Proxy.
-
Enable Explicit FTP Proxy.
-
Select port2 as the Listen on Interfaces and set the HTTP Port to 21.
-
Configure the Default Firewall Policy Action as needed.
-
Click Apply.
-
-
Create an explicit FTP proxy policy:
-
Go to Policy & Objects > Proxy Policy.
-
Click Create New.
-
Set Proxy Type to FTP and Outgoing Interface to port1.
-
Also set Source and Destination to all, Schedule to always, and Action to ACCEPT.
-
Click OK to create the policy.
This example creates a basic policy. If required, security profiles can be enabled.
-
-
Configure the FTP client application to use the FortiGate IP address.
To configure explicit FTP proxy in the CLI:
-
Enable and configure explicit FTP proxy:
config ftp-proxy explicit set status enable set incoming-port 21 end config system interface edit "port2" set vdom "vdom1" set ip 10.1.100.1 255.255.255.0 set allowaccess ping https ssh snmp http telnet set type physical set explicit-ftp-proxy enable set snmp-index 12 next end
-
Create an explicit FTP proxy policy:
config firewall proxy-policy edit 4 set name "proxy-policy-ftp" set proxy ftp set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" next end
This example creates a basic policy. If required, security profiles can be enabled.
-
Configure the FTP client application to use the FortiGate IP address.
Changing the FTP mode from active to passive for explicit proxy
An explicit FTP proxy can convert an active FTP connection initiated by an FTP client to a passive FTP connection between the explicit FTP proxy and FTP server.
config ftp-proxy explicit set server-data-mode {client | passive} end
server-data-mode {client | passive} |
Set the data selection mode on the FTP server side:
|
In this example, a client that only supports active mode FTP connects to a remote FTP server through the explicit FTP proxy to download a text file (test1.txt). The explicit FTP proxy converts the active FTP connection to a passive connection between the explicit FTP proxy and the FTP server.
To configure passive mode for FTP server data sessions:
-
Configure the web proxy:
config ftp-proxy explicit set status enable set incoming-port 21 set server-data-mode passive end
-
Enable the explicit FTP proxy on port1:
config system interface edit "port1" set ip 10.1.100.2 255.255.255.0 set explicit-ftp-proxy enable next end
-
Configure the firewall policy:
config firewall proxy-policy edit 1 set proxy ftp set dstintf "port3" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" next end
-
Get the client to download the text file from the FTP server (NcFTP is used in this example):
ncftpget -E -r 0 -d stdout -u pc4user1@172.16.200.44 -p 123456 10.1.100.2 ./ /home/pc4user1/test1.txt ... Cmd: PORT 10,1,100,11,151,115 200: PORT command successful. Consider using PASV. Cmd: RETR /home/pc4user1/test1.txt
-
In the FTP server logs, verify that the explicit FTP proxy converted the active FTP connection to a passive connection:
... 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching PRE_CMD command 'PASV' to mod_exec 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching PRE_CMD command 'PASV' to mod_rewrite 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching PRE_CMD command 'PASV' to mod_tls 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching PRE_CMD command 'PASV' to mod_core 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching PRE_CMD command 'PASV' to mod_core 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching CMD command 'PASV' to mod_core 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): in dir_check_full(): path = '/home/pc4user1', fullpath = '/home/pc4user1' 2023-01-28 01:56:39,909 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): Entering Passive Mode (172,16,200,44,175,61). 2023-01-28 01:56:39,910 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching POST_CMD command 'PASV' to mod_exec 2023-01-28 01:56:39,910 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching LOG_CMD command 'PASV' to mod_log 2023-01-28 01:56:39,911 webproxy_pc04 proftpd[1104] webproxy_pc04 (172.16.200.2[172.16.200.2]): dispatching PRE_CMD command 'RETR /home/pc4user1/test1.txt' to mod_exec