FTPS in DMZ problem

Hi,

I have the FTP server in DMZ.

I have two questions about best settings on FortiGate:

1. how to set the rules to pass traffic to ftp server from both sides: WAN side and LAN side. The problem is, after client enter passive mode, server responds with internal IP address and WAN side clients can not connect. I can change settings on FTP server and it responds with external IP address but then clients from LAN can not connect.

2. both FTP and FTPS connections are initiated on port 21. It is possible to pass only secure traffic FTPS (FTP over TLS / SSL) and prevent clients to use regular FTP on the FortiGate?