Technical Tip: How to access FTP server externally on different port

Description

This article explains how to access an FTP server externally using a different port (instead of the standard port).

Scope

FortiGate.

Solution

By default, FTP is accessible on port 21 and even when the port is configured forwarding on the firewall to use FTP server on different port, users are unable to connect to the FTP server and receive the following error:

The configuration explained below will help users to gain access to the FTP server externally on a different port number with a port forwarding configuration on FortiGate:

It is necessary to add session helper for different port on which FTP server is accessible externally.

The FTP session helper tracks PORT, PASV, and 227 commands, modifies the IP addresses and port numbers within the FTP packet payloads, and dynamically opens the necessary ports on the FortiGate device.

Configuration setup:

config sys session-helper
    edit <id>
        set name ftp
        set protocol 6
        set port <port number>
    next
end

Example:

To use FTP server externally, such as on port 9630.

config sys session-helper
    edit 22
        set name ftp
        set protocol 6
        set port 9630
    next
end