Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wcruvinel
Staff
Staff

Created on ‎10-15-2025 03:46 AM

Article Id 415164

Technical Tip: FTP Passive Mode (EPSV) fails after upgrading to v7.2.12

Description

This article explains an issue where FTP passive mode using EPSV fails after upgrading to v7.2.12 due to a session helper behavior change. Disable the FTP session helper and allow high TCP port ranges explicitly in the firewall policy to restore passive mode FTP functionality.
Scope FortiOS v7.2.12 with Virtual IP (VIP) and FTP traffic using EPSV.
Solution

Problem Description:

After upgrading FortiGate to v7.2.12, users may experience failures when using FTP in passive mode (EPSV). While the control channel (port 21) functions as expected, the data channel (EPSV high ports) does not open, resulting in timeouts or errors such as:

curl: (28) server response timeout

 

Trigger Conditions:

  • FortiGate running v7.2.12.
  • FTP traffic processed via a Virtual IP (VIP).
  • Session helper is enabled and configured to handle FTP.
  • FTP client sends the EPSV command.
  • FTP server responds with 229 Entering Extended Passive Mode (|||<port>|).
  • No data connection is established.


Expected Behavior:

The FTP session helper should inspect the EPSV response, extract the passive port, and open the necessary high-port connection dynamically without requiring explicit service definitions in the policy.


Observed Behavior:

The EPSV response is not handled correctly by the session helper, and the high TCP port required for the passive data connection is not permitted. This results in failed transfers or server timeouts. Active mode (PORT) continues to function correctly.

 

Workaround:

To restore passive mode FTP functionality while Fortinet investigates the issue, disable the FTP session helper and explicitly define a custom service to allow the high port range used by the FTP server.

 

Step 1: Create Custom Services:

 

config firewall service custom
    edit "FTP_No_ALG"
        set tcp-portrange 21
        set helper disable
    next

        edit "FTP_PASV_RANGE"
            set tcp-portrange 1024-65535
            set helper disable
        next
    end

 

Step 2: Update or Create Firewall Policy:

 

config firewall policy
    edit <policy_id>
        set name "FTP Passive Workaround"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "vip-ftp-server"
        set schedule "always"
        set service "FTP_No_ALG" "FTP_PASV_RANGE"
        set action accept
        set logtraffic all
    next
end


Validation:

After applying the workaround, passive FTP transfers should resume successfully. For example, a successful curl transfer will include:

 

< 229 Entering Extended Passive Mode (|||53444|)
* Connecting to x.x.x.x:53444
< 226 Transfer complete.


Additional Information:

  • Active mode (PORT/EPRT) FTP is not affected.
  • This issue does not occur on FortiOS 7.2.11.
  • A fix may be implemented in future firmware (e.g., v7.2.13 or interim).
  • This workaround should remain in place until the session helper behavior is corrected or patched.
114
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.