Example users on an internal network connecting to FTP servers on the Internet through the explicit FTP with RADIUS authentication and virus scanning

Example users on an internal network connecting to FTP servers on the Internet through the explicit FTP with RADIUS authentication and virus scanning

This example describes how to configure the explicit FTP proxy for the example network shown below. In this example, users on the internal network connect to the explicit FTP proxy through the Internal interface with IP address 10.31.101.100. The explicit web proxy is configured to use port 2121 so to connect to an FTP server on the Internet users must first connect to the explicit FTP proxy using IP address 10.31.101.100 and port 2121.

 

Example explicit FTP proxy network topology

In this example, explicit FTP proxy users must authenticate with a RADIUS server before getting access to the proxy. To apply authentication, the security policy that accepts explicit FTP proxy traffic includes an identity based policy that applies per session authentication to explicit FTP proxy users and includes a user group with the RADIUS server in it. The identity based policy also applies UTM virus scanning and DLP.

 

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

1. Enable the explicit FTP proxy and change the FTP port to 2121.

2. Enable the explicit FTP proxy on the internal interface.

3. Add a RADIUS server and user group for the explicit FTP proxy.

4. Add a user identity security policy for the explicit FTP proxy.

5. Enable antivirus and DLP features for the identity-based policy.

 

Configuring the explicit FTP proxy – web-based manager

Use the following steps to configure the explicit FTP proxy from FortiGate web-based manager.

 

To enable and configure the explicit FTP proxy

1. Go to Network > Explicit Proxy > Explicit FTP Proxy Options and change the following settings:

 

Enable Explicit FTP Proxy       Select.

Listen on Interface                   No change. This field will eventually show that the explicit web proxy is enabled for the Internal interface.

FTP Port                                     2121

Default Firewall Policy

ActioDeny

2. Select Apply.

 

To enable the explicit FTP proxy on the Internal interface

1. Go to Network > Interfaces, edit the Internal interface and select Enable Explicit FTP Proxy.

 

To add a RADIUS server and user group for the explicit FTP proxy

1. Go to User & Device > RADIUS Servers.

2. Select Create New to add a new RADIUS server:

 

Name                                           RADIUS_1

Primary Server Name/IP           10.31.101.200

Primary Server Secret              RADIUS_server_secret

3. Go to User > User > User Groups and select Create New.

 

Name                                           Explict_proxy_user_group

Type                                            Firewall

Remote groups                         RADIUS_1

Group Name                              ANY

4. Select OK.

 

To add a security policy for the explicit FTP proxy

1. Go to Policy & Objects > Addresses and select Create New.

2. Add a firewall address for the internal network:

 

Address Name                           Internal_subnet

Type                                            Subnet

Subnet / IP Range                     10.31.101.0

Interface                                     Any

3. Go to Policy & Objects > Explicit Proxy Policy and select Create New.

4. Configure the explicit FTP proxy security policy.

 

Explicit Proxy Type                  FTP

Source Address                        Internal_subnet

Outgoing Interface                   wan1

Destination Address                 all

Action                                         AUTHENTICATE

5. Under Configure Authentication Rules select Create New to add an authentication rule:

 

Groups                                       Explicit_policy

Users                                          Leave blank

Schedule                                    always

6. Turn on Antivirus and Web Filter and select the default profiles for both.

7. Select the default proxy options profile.

8. Select OK.

9. Make sure Enable IP Based Authentication is not selected and Default Authentication Method is set to Basic.

10. Select OK.

 

Configuring the explicit FTP proxy – CLI

Use the following steps to configure the example explicit web proxy configuration from the CLI.

 

 

To enable and configure the explicit FTP proxy

1. Enter the following command to enable the explicit FTP proxy and set the TCP port that proxy accepts FTP

connections on to 2121.

config ftp-proxy explicit set status enable

set incoming-port 2121

set sec-default-action deny end

 

To enable the explicit FTP proxy on the Internal interface

1. Enter the following command to enable the explicit FTP proxy on the internal interface.

config system interface edit internal

set explicit-ftp-proxy enable

end

 

To add a RADIUS server and user group for the explicit FTP proxy

1. Enter the following command to add a RADIUS server:

config user radius edit RADIUS_1

set server 10.31.101.200

set secret RADIUS_server_secret

end

2. Enter the following command to add a user group for the RADIUS server.

config user group

edit Explicit_proxy_user_group set group-type firewall

set member RADIUS_1

end

 

To add a security policy for the explicit FTP proxy

1. Enter the following command to add a firewall address for the internal subnet:

config firewall address edit Internal_subnet

set type iprange

set start-ip 10.31.101.1 set end-ip 10.31.101.255

end

2. Enter the following command to add the explicit FTP proxy security policy:

config firewall explicit-proxy-policy edit 0

set proxy ftp

set dstintf wan1

set srcaddr Internal_subnet set dstaddr all

set action accept

set identity-based enable set ipbased disable

set active-auth-method basic config identity-based-policy

edit 0

set groups Explicit_Proxy_user_group set schedule always

set utm-status enable set av-profile default

set profile-protocol-options default end

end

 

Testing and troubleshooting the configuration

You can use the following steps to verify that the explicit FTP proxy configuration is working as expected. These steps use a command line FTP client.

 

To test the explicit web proxy configuration

1. From a system on the internal network start an FTP client and enter the following command to connect to the FTP

proxy:

ftp 10.31.101.100

The explicit FTP proxy should respond with a message similar to the following:

Connected to 10.31.101.100.

220 Welcome to Fortigate FTP proxy

Name (10.31.101.100:user):

2. At the prompt enter a valid username and password for the RADIUS server followed by a user name for an FTP server on the Internet and the address of the FTP server. For example, if a valid username and password on the RADIUS server is ex_name and ex_pass and you attempt to connect to an FTP server at ftp.example.com with user name s_name, enter the following at the prompt:

Name (10.31.101.100:user):ex_name:ex_pass:s_name@ftp.example.com

3. You should be prompted for the password for the account on the FTP server.

4. Enter the password and you should be able to connect to the FTP server.

5. Attempt to explore the FTP server file system and download or upload files.

 

6. To test UTM functionality, attempt to upload or download an ECAR test file. Or upload or download a tex file containing text that would be matched by the DLP sensor.

 

For eicar test files, go to http://eicar.org.

This entry was posted in Fortinet, FortiOS, FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.