Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jiahoong112
Staff
Staff

Created on ‎01-11-2023 10:14 PM Edited on ‎01-11-2023 10:22 PM By Community Manager

Article Id 242682

Technical Tip: FortiGate is unable to backup config to Windows FTP Server

Description This article describes why and how to fix configuration backups from FortiGate if a Windows FTP server is being used. It will also briefly go over Active and Passive FTP modes.
Scope

FortiGate.

When this command is used to backup the FortiGate config to an FTP Server:

 

execute backup config ftp /<file-directory>/backup.conf <ftp-server-ip> <username> <password>

 

Related link: 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-send-automated-backups-of-the-confi... 
Solution

FTP (File Transfer Protocol) is a standard network protocol used to transfer files from one host to another over a TCP-based network, such as the Internet. There are two main modes of operation for FTP: active and passive. 

 

FTP uses two separate TCP ports for its operations: Port 21 for sending control commands (such as requesting a file) and Port 20 for sending data (the actual contents of the requested file).

 

The FTP Client opens a random port to listen for data connections from the server - Port Range 1024-65535. These higher port ranges are often blocked by firewall inbound connections. 

 

In Active Mode, the client initiates the connection to the server by sending a request for a file.

The server then opens a new connection to the client to send the requested file.

In this mode, the client's IP address and port are sent to the server, which uses that information to open the connection to the client. 

 

In Passive Mode, the client initiates the connection to the server by sending a request for a file, but instead of the server opening a new connection to the client, the server responds with its own IP address and port.

The client then opens a new connection to the server to receive the requested file.

Passive mode is useful in situations where the client is behind a firewall that blocks incoming connections. 

 

By default, when an FTP backup is initiated by the FortiGate to the Windows FTP server, this connection is blocked because of Windows Firewall. FortiGate uses Passive Mode FTP.

 

In this capture, these are the IPs:

FortiGate IP -> 10.185.1.210

Windows FTP Server IP -> 10.185.1.25

 

This is how the Wireshark capture looks like when the connection is Blocked. Wireshark capture performed on the Windows FTP Server:

 

jiahoong112_0-1673491412087.png

 

Solution:

1) Disable Windows firewall.

2) Allow ports 1024-65535 for Inbound traffic:

To allow these ports, run this command in Powershell or Command Prompt. It must be run in Admin/elevated permissions:

 

Command -> netsh advfirewall firewall add rule name="FTP (Passive)" dir=in action=allow protocol=TCP localport=1024-65535

 

After applying the Inbound rule on the Windows firewall, here is how the Wireshark frame capture should look like:

 

jiahoong112_1-1673491985791.png

 

Note that this issue is not FortiGate related. The default FTP behavior in FortiGate is fixed and cannot be changed. Any queries related to this should be addressed on the Windows side. 
1083
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.