FTP Proxy configuration in the scenario that the user tries to reach a public FTP server and the traffic needs to pass through FortiProxy (no direct access to the Internet) and a device in front of it which acts as a Forwarding Server. 

Connect to the FortiProxy GUI and navigate to Proxy Settings -> FTP Proxy.
By default, FTP Proxy is disabled and it is important to select Enable. 

There are a few options available, such as the ‘Incoming IP’, the ‘Outgoing IP’, the ‘Incoming Port’, and the ‘Default Firewall Policy Action’. Values for each field need to be adapted based on the setup. 

In CLI, the configuration might look as the following:

config ftp-proxy explicit

    set status enable

    set incoming-port 21

    set outgoing-ip 0.0.0.0
    set server-data-mode client

end

If FortiGate acts as a passive FTP client and the requests the FTP server to share the data transfer port the server-data-mode have to changed from client to passive mode.

After enabling and configuring the explicit FTP Proxy, it is important to navigate to the FortiProxy GUI Network -> Interfaces, select and edit the outgoing interface, and enable the parameter ‘Explicit FTP proxy’ which is visible in the Miscellaneous section.

Configure the Forwarding Server in the FortiProxy GUI by navigating to Proxy Settings -> Forwarding Server -> Create New.

When selecting 'Create New', the available options are depicted in the following figure:

Configure the ‘Name’ and the ‘Proxy Address’ as these are the mandatory fields. ‘Port’ might need to be configured depending on each setup.

Note: Activating the ‘Health Monitor’ parameter is an extra added value as it runs a health check for this forward server using a URL. If the forwarding server does not respond to the health check, it turns down and traffic stops being forwarded. 

CLI configuration of the Forwarding Server should look as the following:

config web-proxy forward-server

    edit "TEST_FTP_FORWARD"

        set ip <Specify_IP>

        set port 21

    next

end

The forwarding server uses the protocols HTTP and SOCKS by default. This is not visible because the command is hidden in the CLI.
Running a 'show full web-proxy forward-server TEST_FTP_FORWARD' using the command line interface will show the existence of this command:

config web-proxy forward-server

    edit "TEST_FTP_FORWARD"

        set addr-type ip

        set ip <Specify_IP>

        set port <Specify_Port>

        set comment ''

        set masquerade disable

        set protocol http socks  <-- Hidden Command.

        set healthcheck disable

        set server-down-option block

        set username ''

        set password ENC ……

    next

end

It is important to change the protocol from HTTP and SOCKS to FTP to be precise that this traffic is related to FTP.

This option can be modified by CLI only, and the result should be the following after the change:

config web-proxy forward-server

    edit "TEST_FTP_FORWARD"

        set ip <Specify_IP>

        set port <Specify_Port>

        set protocol ftp

    next

end

After having configured the Forwarding Server, the next step is to define a ‘Server URL’ and enable the ‘Forward to Server’ option in it.

Navigate to FortiProxy GUI Proxy Settings -> Server URL -> Create New.

The fields ‘Name’ and ‘URL Pattern’ are mandatory to be filled.

The Forwarding Server ‘TEST-FTP-FORWARD’ has been configured to use the Protocol FTP only. For that reason, there is no need to enable the option ‘Forward to Server’, instead configure the ftp-forward-server via the command line.

Edit the newly created ‘Server URL’ via CLI and run:

config web-proxy url-match
    edit "TEST_URL"

        set ftp-forward-server "TEST_FTP_FORWARD"

    next

end

Note: The ‘Forward to Server’ option is mapped to the command ‘set forward-server’ in the CLI. This command does allow us to choose a Forwarding Server that uses protocol HTTP and SOCKS. Even though the Forwarding Server using FTP protocol is still visible in the GUI when enabling this parameter, the system allows to select them and there is no error prompted when selecting the ‘OK’ button.
By editing the ‘Server URL’ via CLI, it is visible that the command has been rejected as it is not visible.

The last step is to create a policy. Navigate to the FortiProxy GUI Policy & Objects > Policy > Create New and create a new policy.

In the ‘Type’ field, it is necessary to use ‘FTP’. The rest fields should be configured depending on each setup.

Policy in CLI:

config firewall policy

    edit 16

        set type explicit-ftp

        set name "TEST_FTP"

        set dstintf <outgoing_interface>

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set logtraffic all

    next

end

It is significant to mention that a proper configuration is needed to be completed in the Forwarding Server to let the traffic pass and reach the public FTP Server.