Skip to main content
A
Anonymous_User
Contributor
April 17, 2009
Question

FTP passive Mode problem

  • April 17, 2009
  • 4 replies
  • 5794 views
hi all, since a upgrade to 4.0.2, I can' t anymore running ftp server and connect in passive mode. When the external ftp client send PASV cmd, the server return the rigth port for data channel but the client didn' t receive the same. The fortigate change the value on the fly. No protection profile is apply to the rules. Simple rules. V3.0 MR7 P4 works. any idea ? I think a hit a bug.... Armand

    4 replies

    abelio
    SuperUser
    abelio
    SuperUser
    April 17, 2009
    hello, i' ve similar firmware and ftp servers (linux ones) but i cannot reproduce the issue. Could you post your settings? (VIP and policy definition) here mine: 
       config firewall vip      edit " Virtual_FTP"           set extip  xx.xx.xx.xx          set extintf " wan1"           set portforward enable          set mappedip yy.yy.yy.yy          set extport 21          set mappedport 21      next  end     config firewall policy      edit 14          set srcintf " wan1"           set dstintf " internal1"               set srcaddr " FTPgroup"                            set dstaddr " Virtual_FTP"                            set action accept              set schedule " always"               set service " FTP"                            set logtraffic enable           next  end
    A
    Anonymous_UserAuthor
    Contributor
    April 18, 2009
    abel, your config seems to use Active Mode of FTP not passive because you must open passive ports range, if you use proftpd look PassivePorts entry in proftpd.conf Active Mode is working OK. edit " ftp.contactonlinet.be" set extip 213.177.64.21 set extintf " Outside" set mappedip xx.Xx.xx.xx next edit 61 set srcintf " Outside" set dstintf " Inside" set srcaddr " all" set dstaddr " ftp.contactonlinet.be" " ftp-web03.cybernet.be" " ftp.cybernet.be" " ftp.fruitnetsoft.be" set action accept set schedule " always" set service " FTP-Service" set logtraffic enable next edit " FTP-Service" set protocol TCP/UDP set tcp-portrange 21-21:1-65535 20-20:1-65535 1024-1088:1-65535 51000-65534:1-65535 next
    abelio
    SuperUser
    abelio
    SuperUser
    April 18, 2009
    your config seems to use Active Mode of FTP not passive because you must open passive ports range, if you use proftpd look PassivePorts entry in proftpd.conf
    i' m using active/passive mode with this setup using vsftpd servers (not proftpd) i' m talking active/passive in the http://slacksite.com/other/ftp.html sense. (you can move from 1-65535 to 1024-65535 your source custom service ports but this is just a comment, not directly related to the thread) btw, maybe it' s forged to post here, but the ftp server you' ve posted seems to be a windoze one. not a proftpd one. ftp 213.177.64.21 Connected to 213.177.64.21. 220 Welcome to ContactOnline User' s area 504 Unknown auth method GSSAPI 504 Unknown auth method KERBEROS_V4 KERBEROS_V4 rejected as an authentication type Name (213.177.64.21:abel): anonymous 331 Guest login ok, send your complete e-mail address as password. Password: 530 Login incorrect - (anonymous), No Domain or User Class defined for User. Login failed. Remote system type is Windows_NT.
    A
    Anonymous_UserAuthor
    Contributor
    April 20, 2009
    I try with different FTP server, yes this one is windows one... Same problem. I try a FG300A with 4.0.2 and different FG310B with 4.0.2, same problem... When the FTP client send PASV cmd, there is a a difference between what the server give and the client receive.
    A
    Anonymous_UserAuthor
    Contributor
    April 21, 2009
    answer from support... This is a known issue reported in FortiOS V 4.0 in bug #94735, This is scheduled to fix in Forti OS 4.1.0. In Forti OS 4.0 port translating by FortiGate for data connection to lower ports (<1024), so some of the clients are not able to establish data connection (Data connection request is not receiving on FortiGate), but some locations it is working.
    Terms & ConditionsAccessibility statement