Configuring FTP Proxy on FortiGate for Optimized Traffic Management

How to Configure an FTP Proxy on FortiGate

FTP proxies are a crucial component in managing FTP traffic efficiently through your FortiGate firewall. By configuring an FTP proxy, you can ensure seamless transmission of FTP requests and optimize overall traffic flow within your network. This guide provides step-by-step instructions on setting up and configuring an FTP proxy using both the GUI and CLI on FortiGate.

Understanding FTP Proxy Configuration

When configured as an FTP proxy, the FortiGate receives FTP requests from client applications. These requests are then proxied, facilitating control over FTP traffic. The process is straightforward, and can be executed through the FortiGate interface or command line.

Configuring Explicit FTP Proxy in the GUI

1. Go to Network > Explicit Proxy.
2. Enable Explicit FTP Proxy.
3. Select port2 as the Listen on Interfaces and set the HTTP Port to 21.
4. Configure the Default Firewall Policy Action as required.
5. Click Apply.

1. Navigate to Policy & Objects > Proxy Policy.
2. Click Create New.
3. Set Proxy Type to FTP and Outgoing Interface to port1.
4. Set Source and Destination to all, Schedule to always, and Action to ACCEPT.
5. Click OK to create the policy.

Note: Security profiles can be enabled if needed. Also, ensure FTP client applications use the FortiGate IP address.

Configuring Explicit FTP Proxy in the CLI

The CLI method allows a more nuanced control over FTP proxy settings.

1. config ftp-proxy explicit
2. set status enable
3. set incoming-port 21
4. end

1. config system interface
2. edit "port2"
3. set vdom "vdom1"
4. set ip 10.1.100.1 255.255.255.0
5. set allowaccess ping https ssh snmp http telnet
6. set type physical
7. set explicit-ftp-proxy enable
8. set snmp-index 12
9. next
10. end

1. config firewall proxy-policy
2. edit 4
3. set name "proxy-policy-ftp"
4. set proxy ftp
5. set dstintf "port1"
6. set srcaddr "all"
7. set dstaddr "all"
8. set action accept
9. set schedule "always"
10. next
11. end

Changing the FTP Mode from Active to Passive for Explicit Proxy

In some cases, you may need to convert active FTP connections to passive ones. This is particularly useful if the FTP client only supports active mode. The explicit FTP proxy can handle this conversion effortlessly.

1. Configure the FTP proxy to passive mode:
2. config ftp-proxy explicit
3. set status enable
4. set incoming-port 21
5. set server-data-mode passive
6. end

1. config system interface
2. edit "port1"
3. set ip 10.1.100.2 255.255.255.0
4. set explicit-ftp-proxy enable
5. next
6. end

1. config firewall proxy-policy
2. edit 1
3. set proxy ftp
4. set dstintf "port3"
5. set srcaddr "all"
6. set dstaddr "all"
7. set action accept
8. set schedule "always"
9. next
10. end

You can verify the FTP proxy's conversion from active to passive mode by checking the log files on the FTP server. This ensures that all commands are dispatched to utilize passive mode effectively.

By following these detailed configurations, your network can benefit from enhanced FTP traffic management, ensuring data integrity and transmission efficiency across your FortiGate firewall.