Example users on an internal network connecting to FTP servers on the Internet through the explicit FTP with RADIUS authentication and virus scanning
This example describes how to configure the explicit FTP proxy for the example network shown below. In this example, users on the internal network connect to the explicit FTP proxy through the Internal interface with IP address 10.31.101.100. The explicit web proxy is configured to use port 2121 so to connect to an FTP server on the Internet users must first connect to the explicit FTP proxy using IP address 10.31.101.100 and port 2121.
Example explicit FTP proxy network topology
In this example, explicit FTP proxy users must authenticate with a RADIUS server before getting access to the proxy. To apply authentication, the security policy that accepts explicit FTP proxy traffic includes an identity based policy that applies per session authentication to explicit FTP proxy users and includes a user group with the RADIUS server in it. The identity based policy also applies UTM virus scanning and DLP.
General configuration steps
This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:
1. Enable the explicit FTP proxy and change the FTP port to 2121.
2. Enable the explicit FTP proxy on the internal interface.
3. Add a RADIUS server and user group for the explicit FTP proxy.
4. Add a user identity security policy for the explicit FTP proxy.
5. Enable antivirus and DLP features for the identity-based policy.
Configuring the explicit FTP proxy – web-based manager
Use the following steps to configure the explicit FTP proxy from FortiGate web-based manager.
To enable and configure the explicit FTP proxy
1. Go to Network > Explicit Proxy > Explicit FTP Proxy Options and change the following settings:
Enable Explicit FTP Proxy Select.
Listen on Interface No change. This field will eventually show that the explicit web proxy is enabled for the Internal interface.
FTP Port 2121
Default Firewall Policy
Action Deny
2. Select Apply.
To enable the explicit FTP proxy on the Internal interface
1. Go to Network > Interfaces, edit the Internal interface and select Enable Explicit FTP Proxy.
To add a RADIUS server and user group for the explicit FTP proxy
1. Go to User & Device > RADIUS Servers.
2. Select Create New to add a new RADIUS server:
Name RADIUS_1
Primary Server Name/IP 10.31.101.200
Primary Server Secret RADIUS_server_secret
3. Go to User > User > User Groups and select Create New.
Name Explict_proxy_user_group
Type Firewall
Remote groups RADIUS_1
Group Name ANY
4. Select OK.
To add a security policy for the explicit FTP proxy
1. Go to Policy & Objects > Addresses and select Create New.
2. Add a firewall address for the internal network:
Address Name Internal_subnet
Type Subnet
Subnet / IP Range 10.31.101.0
Interface Any
3. Go to Policy & Objects > Explicit Proxy Policy and select Create New.
4. Configure the explicit FTP proxy security policy.
Explicit Proxy Type FTP
Source Address Internal_subnet
Outgoing Interface wan1
Destination Address all
Action AUTHENTICATE
5. Under Configure Authentication Rules select Create New to add an authentication rule:
Groups Explicit_policy
Users Leave blank
Schedule always
6. Turn on Antivirus and Web Filter and select the default profiles for both.
7. Select the default proxy options profile.
8. Select OK.
9. Make sure Enable IP Based Authentication is not selected and Default Authentication Method is set to Basic.
10. Select OK.
Configuring the explicit FTP proxy – CLI
Use the following steps to configure the example explicit web proxy configuration from the CLI.
To enable and configure the explicit FTP proxy
1. Enter the following command to enable the explicit FTP proxy and set the TCP port that proxy accepts FTP
connections on to 2121.
config ftp-proxy explicit set status enable
set incoming-port 2121
set sec-default-action deny end
To enable the explicit FTP proxy on the Internal interface
1. Enter the following command to enable the explicit FTP proxy on the internal interface.
config system interface edit internal
set explicit-ftp-proxy enable
end
To add a RADIUS server and user group for the explicit FTP proxy
1. Enter the following command to add a RADIUS server:
config user radius edit RADIUS_1
set server 10.31.101.200
set secret RADIUS_server_secret
end
2. Enter the following command to add a user group for the RADIUS server.
config user group
edit Explicit_proxy_user_group set group-type firewall
set member RADIUS_1
end
To add a security policy for the explicit FTP proxy
1. Enter the following command to add a firewall address for the internal subnet:
config firewall address edit Internal_subnet
set type iprange
set start-ip 10.31.101.1 set end-ip 10.31.101.255
end
2. Enter the following command to add the explicit FTP proxy security policy:
config firewall explicit-proxy-policy edit 0
set proxy ftp
set dstintf wan1
set srcaddr Internal_subnet set dstaddr all
set action accept
set identity-based enable set ipbased disable
set active-auth-method basic config identity-based-policy
edit 0
set groups Explicit_Proxy_user_group set schedule always
set utm-status enable set av-profile default
set profile-protocol-options default end
end
Testing and troubleshooting the configuration
You can use the following steps to verify that the explicit FTP proxy configuration is working as expected. These steps use a command line FTP client.
To test the explicit web proxy configuration
1. From a system on the internal network start an FTP client and enter the following command to connect to the FTP
proxy:
ftp 10.31.101.100
The explicit FTP proxy should respond with a message similar to the following:
Connected to 10.31.101.100.
220 Welcome to Fortigate FTP proxy
Name (10.31.101.100:user):
2. At the prompt enter a valid username and password for the RADIUS server followed by a user name for an FTP server on the Internet and the address of the FTP server. For example, if a valid username and password on the RADIUS server is ex_name and ex_pass and you attempt to connect to an FTP server at ftp.example.com with user name s_name, enter the following at the prompt:
Name (10.31.101.100:user):ex_name:ex_pass:s_name@ftp.example.com
3. You should be prompted for the password for the account on the FTP server.
4. Enter the password and you should be able to connect to the FTP server.
5. Attempt to explore the FTP server file system and download or upload files.
6. To test UTM functionality, attempt to upload or download an ECAR test file. Or upload or download a tex file containing text that would be matched by the DLP sensor.
For eicar test files, go to http://eicar.org.