Skip to main content
Brent
Brent
New Member
November 29, 2017
Solved

FTP Connection

  • November 29, 2017
  • 1 reply
  • 51006 views

Hi, 

 

I'm having an issue with establishing an FTP connection through my Fortigate 600c running FortiOS 5.4.

 

I have the Session Helper configured:

set name ftp
set protocol 6
set port 21

 

And a policy configured:

set name "Internet to FTP Server"
set srcintf "External"
 set dstintf "local"
 set srcaddr "all"
 set dstaddr "VIP for FTP"
 set action accept
 set schedule "always"
 set service "FTP Services" (Also tried "ALL")

"FTP Services" has all members for "FTP"

edit "FTP Services"
 set member "FTP" "FTP_GET" "FTP_PUT"
 next

 

But I cannot establish an FTP Connection.  I can connect to the server, but there is no data transfer (i.e. to get directory listing).  Here is a log from FileZilla

 

Status: Disconnected from server
Status: Connecting to <Correct Fortigate IP Address>:21...
Status: Connection established, waiting for welcome message...
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/<valid directory>" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PORT <Local IP address>,237,96
Response: 501 Server cannot accept argument.
Command: PASV
Response: 227 Entering Passive Mode (<Correct Fortigate IP Address>,244,251).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Status: Disconnected from server
Status: Connecting to <Correct Fortigate IP Address>:21...
Status: Connection established, waiting for welcome message...
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/<valid directory>" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PORT <local IP>,237,99
Response: 501 Server cannot accept argument.
Command: PASV
Response: 227 Entering Passive Mode (<Correct Fortigate IP Address>,244,252).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing

 

Does anyone have any idea what I am missing?

 

Thanks

    Best answer by tanr

    Shot in the dark, but does your security policy for FTP have NAT turned on?

    1 reply

    packetpusher
    packetpusher
    New Member
    November 30, 2017

    I am sure the following URL will help you understand what gets to be done in order to fix this issue. 

    Ref. http://slacksite.com/other/ftp.html

     

    Brent
    BrentAuthor
    New Member
    November 30, 2017

    mstoyanoff wrote:

    I am sure the following URL will help you understand what gets to be done in order to fix this issue. 

    Ref. http://slacksite.com/other/ftp.html

     

    Really?  No, that is not helpful at all.  I know how FTP works in its essence, but everything I have read so far indicates that on the fortigate I should only need to open port 21 to my server, and session helpers will open the other ports as required for passive FTP, and active FTP should work regardless right (I may have that wrong).  If you read the logs in my original post then you'll see that neither active nor passive FTP traffic is passing through.

     

    The question was and remains, what configuration on the fortigate am I missing to allow FTP to work as I have configured as per all the posts I have read, but it's not working so I must be missing something.

     

    Thanks

    rwpatterson
    rwpatterson
    New Member
    December 1, 2017

    Does the FTP work from the inside (the LAN)?

    Are the FTP services the default or are they custom?

    Is there another policy before this one that may be grabbing the traffic and denying it?

    Terms & ConditionsAccessibility statement