Fortinet black logo

Handbook

Protecting an FTP server

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:881888
Download PDF

Protecting an FTP server

To connect to an FTP server using the explicit FTP proxy, users must run an FTP client and connect to the IP address of a FortiGate interface on which the explicit FTP proxy is enabled. This connection attempt must use the configured explicit FTP proxy port number (default 21).

The explicit FTP proxy is not compatible with using a web browser as an FTP client. To use web browsers as FTP clients configure the explicit web proxy to accept FTP sessions.

The following steps occur when a user starts an FTP client to connect to an FTP server using the explicit FTP proxy. Any RFC-compliant FTP client can be used. This example describes using a command-line FTP client. Some FTP clients may require a custom FTP proxy connection script.

  1. The user enters a command on the FTP client to connect to the explicit FTP proxy.

    For example, if the IP address of the FortiGate interface on which the explicit FTP proxy is enabled is 10.31.101.100, enter:

    ftp 10.31.101.100

  2. The explicit FTP proxy responds with a welcome message and requests the user’s FTP proxy user name and password and a username and address of the FTP server to connect to:

    Connected to 10.31.101.100.

    220 Welcome to FortiGate FTP proxy

    Name (10.31.101.100:user):

    You can change the message by editing the FTP Explicit Banner Message replacement message.

  3. At the prompt the user enters their FTP proxy username and password and a username and address for the FTP server.

    The FTP server address can be a domain name or numeric IP address. This information is entered using the following syntax:

    <proxy-user>:<proxy-password>:<server-user>@<server-address>

    For example, if the proxy username and password are p-name and p-pass and a valid username for the FTP server is s-name and the server’s IP address is ftp.example.com the syntax would be:

    p-name:p-pass:s-name@ftp.example.com

    note icon If the FTP proxy accepts anonymous logins p-name and p-pass can be any characters.
  4. The FTP proxy forwards the connection request, including the user name, to the FTP server.
  5. If the user name is valid for the FTP server it responds with a password request prompt.
  6. The FTP proxy relays the password request to the FTP client.
  7. The user enters the FTP server password and the client sends the password to the FTP proxy.
  8. The FTP proxy relays the password to the FTP server.
  9. The FTP server sends a login successful message to the FTP proxy.
  10. The FTP proxy relays the login successful message to the FTP client.
  11. The FTP client starts the FTP session.

    All commands entered by the client are relayed by the proxy to the server. Replies from the server are relayed back to the FTP client.

Explicit FTP proxy session

From a simple command line FTP client connecting to an the previous sequence could appear as follows:

ftp 10.31.101.100 21

Connected to 10.31.101.100.

220 Welcome to FortiGate FTP proxy

Name (10.31.101.100:user): p-name:p-pass:s-name@ftp.example.com

331 Please specify the password.

Password: s-pass

230 Login successful.

Remote system type is UNIX

Using binary mode to transfer files.

ftp>

Protecting an FTP server

To connect to an FTP server using the explicit FTP proxy, users must run an FTP client and connect to the IP address of a FortiGate interface on which the explicit FTP proxy is enabled. This connection attempt must use the configured explicit FTP proxy port number (default 21).

The explicit FTP proxy is not compatible with using a web browser as an FTP client. To use web browsers as FTP clients configure the explicit web proxy to accept FTP sessions.

The following steps occur when a user starts an FTP client to connect to an FTP server using the explicit FTP proxy. Any RFC-compliant FTP client can be used. This example describes using a command-line FTP client. Some FTP clients may require a custom FTP proxy connection script.

  1. The user enters a command on the FTP client to connect to the explicit FTP proxy.

    For example, if the IP address of the FortiGate interface on which the explicit FTP proxy is enabled is 10.31.101.100, enter:

    ftp 10.31.101.100

  2. The explicit FTP proxy responds with a welcome message and requests the user’s FTP proxy user name and password and a username and address of the FTP server to connect to:

    Connected to 10.31.101.100.

    220 Welcome to FortiGate FTP proxy

    Name (10.31.101.100:user):

    You can change the message by editing the FTP Explicit Banner Message replacement message.

  3. At the prompt the user enters their FTP proxy username and password and a username and address for the FTP server.

    The FTP server address can be a domain name or numeric IP address. This information is entered using the following syntax:

    <proxy-user>:<proxy-password>:<server-user>@<server-address>

    For example, if the proxy username and password are p-name and p-pass and a valid username for the FTP server is s-name and the server’s IP address is ftp.example.com the syntax would be:

    p-name:p-pass:s-name@ftp.example.com

    note icon If the FTP proxy accepts anonymous logins p-name and p-pass can be any characters.
  4. The FTP proxy forwards the connection request, including the user name, to the FTP server.
  5. If the user name is valid for the FTP server it responds with a password request prompt.
  6. The FTP proxy relays the password request to the FTP client.
  7. The user enters the FTP server password and the client sends the password to the FTP proxy.
  8. The FTP proxy relays the password to the FTP server.
  9. The FTP server sends a login successful message to the FTP proxy.
  10. The FTP proxy relays the login successful message to the FTP client.
  11. The FTP client starts the FTP session.

    All commands entered by the client are relayed by the proxy to the server. Replies from the server are relayed back to the FTP client.

Explicit FTP proxy session

From a simple command line FTP client connecting to an the previous sequence could appear as follows:

ftp 10.31.101.100 21

Connected to 10.31.101.100.

220 Welcome to FortiGate FTP proxy

Name (10.31.101.100:user): p-name:p-pass:s-name@ftp.example.com

331 Please specify the password.

Password: s-pass

230 Login successful.

Remote system type is UNIX

Using binary mode to transfer files.

ftp>