| Description | This article describes the behavior of FTP traffic Passive Mode when using FileZilla Client and FTP Server behind FortiGate. |
| Scope | FileZilla Client v3.67.1, FortiGate v7.4.x. |
| Solution |
The scenario is FTP Client is located externally and wants to access the internal FTP Server behind FortiGate:
FTP Client (10.253.0.17) --- Internet --- VIP 10.47.3.179 (FortiGate) -- FTP Server 10.171.2.142
config firewall VIP
With FTP Session Helper, FortiGate will translate the 'Passive IP address' on the FTP packet to the external IP Address:
config system session-helper
This way, the FileZilla Client can send the data using the external IP address of the FTP Server. Without FTP Session Helper, the 'Passive IP address' field will still be the local IP Address.
The Data transfer will fail because FortiGate will not allow incoming FTP traffic directly to private IP Addresses. There is a setting on FileZilla Client to use the Server's external IP Address. But seems not to be enforced. FileZilla Client is still trying to connect to the private IP address of the FTP Server.
|
