Skip to main content
RichardH
RichardH
New Member
November 18, 2009
Question

Custom Service and VIP (FTP using TLS - port 990)

  • November 18, 2009
  • 5 replies
  • 11005 views
My firewall isn' t allowing me to pass custom service' s to my VIP policies. FortiGate 110C v4.0,build0185,091020 (MR1 Patch 1) Service FTPS - TCP Port 990:990 -> 990:990 Virtual IP VIP : VIP_TEST WAN IP : 111.222.333.444 Internal : 4.3.2.1 No port ranges, no port forwards. Firewall WAN : ALL -> Internal : VIP_TEST Service : FTPS (port 990) Nat - No I try and connect, I get nothing. If I change the service to 21 and allow non-TLS connections, it works. If I set port 990 as port forward on the VIP, it works. This isn' t a solution, I have a few services this computer will be providing and need to provide many custom ports...

    5 replies

    rwpatterson
    rwpatterson
    New Member
    November 18, 2009
    Is the service built in, or is it one you created? If the latter, did you set the source range to 1024-65535? The source isn' t the same port every time.
    RichardH
    RichardHAuthor
    New Member
    November 18, 2009
    I set the source port to 990 - 990 The service is static, for TLS connection is listens on port 990 (SSL Certificate)
    rwpatterson
    rwpatterson
    New Member
    November 19, 2009
    ORIGINAL: RichardH The service is static, for TLS connection is listens on port 990 (SSL Certificate)
    Listening indicates the destination port. The source port would be the ' yelling' side...
    RichardH
    RichardHAuthor
    New Member
    November 18, 2009
    Here' s the Service I created 
      config firewall service custom      edit " FTPS"           set protocol TCP/UDP          set tcp-portrange 990-990:990-990       next  end
    RichardH
    RichardHAuthor
    New Member
    November 18, 2009
    Firewall Rule 
          edit 20          set srcintf " wan2"           set dstintf " any"               set srcaddr " all"                            set dstaddr " VIP_MIS_RICH_TEST"                        set action accept          set schedule " always"               set service " FTPS"                    next
    RichardH
    RichardHAuthor
    New Member
    November 19, 2009
    rwpatterson, after repeating yourself, I think I understand... I set the source to 1024 and 65536 and the service is working. Thanks!
    rwpatterson
    rwpatterson
    New Member
    November 19, 2009
    Any time! FYI, take a look at the traffic monitor, and filter on destination port 990. You' ll see what I mean.
    dudarra
    dudarra
    New Member
    February 24, 2016

    hey guys,

    i have one question about FTPS....

     

    for the destination port i choose --> 990

    for the source port i choose --> 1024-65535

     

    is this correct?

     

    cheers raffa

    Terms & ConditionsAccessibility statement