FTP Proxy Configuration

FTP Proxy Configuration

General explicit FTP proxy configuration steps

You can use the following general steps to configure the explicit FTP proxy.

To enable the explicit FTP proxy – web-based manager:

  1. Go to Network > Explicit Proxy > Explicit FTP Proxy Options. Select Enable Explicit FTP Proxy to turn on the explicit FTP proxy.
  2. Select Apply.

The Default Firewall Policy Action is set to Deny and requires you to add a explicit FTP proxy policy to allow access to the explicit FTP proxy. This configuration is recommended and is a best practice because you can use policies to control access to the explicit FTP proxy and also apply security features and authentication.

  1. Go to Network > Interfaces and select one or more interfaces for which to enable the explicit web proxy. Edit the interface and select Enable Explicit FTP Proxy.

Enabling the explicit FTP proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you enable the proxy on such an interface make sure authentication is required to use the proxy.

  1. Go to Policy & Objects > Proxy Policyand select Create New and set the Explicit Proxy Type to

You can add multiple explicit FTP proxy policies.

  1. Configure the policy as required to accept the traffic that you want to be processed by the explicit FTP proxy.

The source address of the policy should match client source IP addresses. The firewall address selected as the source address cannot be assigned to a FortiGate interface. The Interface field of the firewall address must be blank or it must be set to Any.

The destination address of the policy should match the IP addresses of FTP servers that clients are connecting to. The destination address could be all to allow connections to any FTP server.

If Default Firewall Policy Action is set to Deny, traffic sent to the explicit FTP proxy that is not accepted by an explicit FTP proxy policy is dropped. If Default Firewall Policy Action is set to Allow then all FTP proxy sessions that don’t match a policy are allowed.

For example the following explicit FTP proxy policy allows users on an internal network to access FTP servers on the Internet through the wan1 interface of a FortiGate unit.

Explicit Proxy Type FTP

 

FTP Proxy Configuration                                                                       General explicit FTP proxy configuration steps

Source Address Internal_subnet
Outgoing Interface wan1
Destination Address all
Schedule always
Action ACCEPT

The following explicit FTP proxy policy requires users on an internal network to authenticate with the FortiGate unit before accessing FTP servers on the Internet through the wan1 interface.

Explicit Proxy Type FTP
Source Address Internal_subnet
Outgoing Interface wan1
Destination Address all
Action AUTHENTICATE
  1. Select Create New to add an Authentication Rule and configure the rule as follows:
Groups Proxy-Group
Source Users (optional)
Schedule always
  1. Add security profiles as required and select OK.
  2. You can add multiple authentication rules to apply different authentication for different user groups and users and also apply different security profiles and logging settings for different users.
  3. Select OK.

To enable the explicit FTP proxy – CLI:

  1. Enter the following command to turn on the explicit FTP proxy. This command also changes the explicit FTP proxy port to 2121.

config ftp-proxy explicit set status enable set incoming-port 2121

end

The default explicit FTP proxy configuration has sec-default-action set to deny and requires you to add a security policy to allow access to the explicit FTP proxy.

  1. Enter the following command to enable the explicit FTP proxy for the internal interface. config system interface edit internal set explicit-ftp-proxy enable

end end

Restricting the IP address of the explicit FTP proxy                                                                FTP Proxy Configuration

  1. Use the following command to add a firewall address that matches the source address of users who connect to the explicit FTP proxy.

config firewall address edit Internal_subnet set type iprange set start-ip 10.31.101.1 set end-ip 10.31.101.255

end

The source address for a ftp-proxy security policy cannot be assigned to a FortiGate unit interface.

  1. Use the following command to add an explicit FTP proxy policy that allows all users on the internal subnet to use the explicit FTP proxy for connections through the wan1 interface to the Internet.

config firewall proxy-policy edit 0 set proxy ftp set dstintf wan1 set scraddr Internal_subnet

set dstaddr all set action accept set schedule always

end

  1. Use the following command to add an explicit FTP proxy policy that allows authenticated users on the internal subnet to use the explicit FTP proxy for connections through the wan1 interface to the Internet.

config firewall proxy-policy edit 0 set proxy ftp set dstintf wan1 set scraddr Internal_subnet set dstaddr Fortinet-web-sites set action accept set schedule always set groups <User group>

end

end

Restricting the IP address of the explicit FTP proxy

You can use the following command to restrict access to the explicit FTP proxy using only one IP address. The IP address that you specify must be the IP address of an interface that the explicit FTP proxy is enabled on. You might want to use this option if the explicit FTP proxy is enabled on an interface with multiple IP addresses.

For example, to require uses to connect to the IP address 10.31.101.100 to connect to the explicit FTP proxy:

config ftp-proxy explicit set incoming-ip 10.31.101.100 end

FTP Proxy Configuration                                         Restricting the outgoing source IP address of the explicit FTP proxy

Restricting the outgoing source IP address of the explicit FTP proxy

You can use the following command to restrict the source address of outgoing FTP proxy packets to a single IP address. The IP address that you specify must be the IP address of an interface that the explicit FTP proxy is enabled on. You might want to use this option if the explicit FTP proxy is enabled on an interface with multiple IP addresses.

For example, to restrict the outgoing packet source address to 172.20.120.100:

config ftp-proxy explicit set outgoing-ip 172.20.120.100

end

Example users on an internal network connecting to FTP servers on the Internet through the explicit FTP with RADIUS authentication and virus scanning

This example describes how to configure the explicit FTP proxy for the example network shown below. In this example, users on the internal network connect to the explicit FTP proxy through the Internal interface with IP address 10.31.101.100. The explicit web proxy is configured to use port 2121 so to connect to an FTP server on the Internet users must first connect to the explicit FTP proxy using IP address 10.31.101.100 and port 2121.

Example explicit FTP proxy network topology

In this example, explicit FTP proxy users must authenticate with a RADIUS server before getting access to the proxy. To apply authentication, the security policy that accepts explicit FTP proxy traffic includes an identity based policy that applies per session authentication to explicit FTP proxy users and includes a user group with the RADIUS server in it. The identity based policy also applies UTM virus scanning and DLP.

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

  1. Enable the explicit FTP proxy and change the FTP port to 2121.
  2. Enable the explicit FTP proxy on the internal interface.

 

Example users on an internal network connecting to FTP servers on the Internet through      explicit               FTP Proxy

FTP with RADIUS authentication and virus scanning                                                                              Configuration

  1. Add a RADIUS server and user group for the explicit FTP proxy.
  2. Add a user identity security policy for the explicit FTP proxy.
  3. Enable antivirus and DLP features for the identity-based policy.

Configuring the explicit FTP proxy – web-based manager

Use the following steps to configure the explicit FTP proxy from FortiGate web-based manager.

To enable and configure the explicit FTP proxy

  1. Go to Network > Explicit Proxy > Explicit FTP Proxy Options and change the following settings:
Enable Explicit FTP Proxy Select.
Listen on Interface No change. This field will eventually show that the explicit web proxy is enabled for the Internal interface.
FTP Port 2121
Default Firewall Policy Action Deny
  1. Select Apply.

To enable the explicit FTP proxy on the Internal interface

  1. Go to Network > Interfaces, edit the Internal interface and select Enable Explicit FTP Proxy.

To add a RADIUS server and user group for the explicit FTP proxy

  1. Go to User & Device > RADIUS Servers.
  2. Select Create New to add a new RADIUS server:
Name RADIUS_1
Primary Server Name/IP 10.31.101.200
Primary Server Secret RADIUS_server_secret
  1. Go to User > User > User Groups and select Create New.
Name Explict_proxy_user_group
Type Firewall
Remote groups RADIUS_1
Group Name ANY
  1. Select OK.

FTP Proxy               Example users on an internal network connecting to FTP servers on      Internet through the explicit

Configuration                                                                              FTP with RADIUS authentication and virus scanning

To add a security policy for the explicit FTP proxy

  1. Go to Policy & Objects > Addresses and select Create New.
  2. Add a firewall address for the internal network:
Address Name Internal_subnet
Type Subnet
Subnet / IP Range 10.31.101.0
Interface Any
  1. Go to Policy & Objects > Proxy Policyand select Create New.
  2. Configure the explicit FTP proxy security policy.
Explicit Proxy Type FTP
Source Address Internal_subnet
Outgoing Interface wan1
Destination Address all
Action AUTHENTICATE
  1. Under Configure Authentication Rules select Create New to add an authentication rule:
Groups   Explicit_policy
Users   Leave blank
Schedule   always
  1. Turn on Antivirus and Web Filter and select the default profiles for both.
  2. Select the default proxy options profile.
  3. Select OK.
  4. Make sure Enable IP Based Authentication is not selected and DefaultAuthentication Method is set to Basic.
  5. Select OK.

Configuring the explicit FTP proxy – CLI

Use the following steps to configure the example explicit web proxy configuration from the CLI.

To enable and configure the explicit FTP proxy

  1. Enter the following command to enable the explicit FTP proxy and set the TCP port that proxy accepts FTP connections on to 2121.

config ftp-proxy explicit set status enable set incoming-port 2121

Example users on an internal network connecting to FTP servers on the Internet through      explicit               FTP Proxy

FTP with RADIUS authentication and virus scanning                                                                              Configuration

set sec-default-action deny

end

To enable the explicit FTP proxy on the Internal interface

  1. Enter the following command to enable the explicit FTP proxy on the internal interface. config system interface edit internal set explicit-ftp-proxy enable

end

To add a RADIUS server and user group for the explicit FTP proxy

  1. Enter the following command to add a RADIUS server:

config user radius edit RADIUS_1 set server 10.31.101.200 set secret RADIUS_server_secret

end

  1. Enter the following command to add a user group for the RADIUS server.

config user group edit Explicit_proxy_user_group set group-type firewall set member RADIUS_1

end

To add a security policy for the explicit FTP proxy

  1. Enter the following command to add a firewall address for the internal subnet: config firewall address edit Internal_subnet set type iprange set start-ip 10.31.101.1 set end-ip 10.31.101.255

end

  1. Enter the following command to add the explicit FTP proxy security policy: config firewall proxy-policy edit 0 set proxy ftp set dstintf wan1 set srcaddr Internal_subnet

set dstaddr all set action accept set identity-based enable set ipbased disable set active-auth-method basic set groups <User group> end

FTP Proxy               Example users on an internal network connecting to FTP servers on      Internet through the explicit

Configuration                                                                              FTP with RADIUS authentication and virus scanning

Testing and troubleshooting the configuration

You can use the following steps to verify that the explicit FTP proxy configuration is working as expected. These steps use a command line FTP client.

To test the explicit web proxy configuration

  1. From a system on the internal network start an FTP client and enter the following command to connect to the FTP proxy:

ftp 10.31.101.100

The explicit FTP proxy should respond with a message similar to the following:

Connected to 10.31.101.100. 220 Welcome to Floodgate FTP proxy Name (10.31.101.100:user):

  1. At the prompt enter a valid username and password for the RADIUS server followed by a user name for an FTP server on the Internet and the address of the FTP server. For example, if a valid username and password on the RADIUS server is ex_name and ex_pass and you attempt to connect to an FTP server at ftp.example.com with user name s_name, enter the following at the prompt:

Name (10.31.101.100:user):ex_name:ex_pass:s_name@ftp.example.com

  1. You should be prompted for the password for the account on the FTP server.
  2. Enter the password and you should be able to connect to the FTP server.
  3. Attempt to explore the FTP server file system and download or upload files.
  4. To test UTM functionality, attempt to upload or download an ECAR test file. Or upload or download a text file containing text that would be matched by the DLP sensor.

For eicar test files, go to http://eicar.org.

 

get test {wad | wccpd} <test_level>

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.