Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
paleshire
New Contributor

Configuring FTP and SFTP

Hello,

  I'm new here and have been using a Fortigate 100d for just a few days now. I'm trying to figure out how to properly configure the inbound ports for FTP and SFTP  traffic as well as other types of traffic. I have them coming through and have policies setup as well as services and virtual IPs. Everything is working except for one hitch.

 

  When packets are forwarded to the FTP of SFTP server the source IP address from the machine connecting through the firewall is stripped out and the local IP address of the Fortinet replaces it. That means that all my SFTP and FTP logs are showing the default gateway address of 192.168.1.254.

 

  Is there a way to preserve the WAN IP of the sender in the packets?

 

  Thank you for any help you can give. It is appreciated. :)

 

2 REPLIES 2
Carl_Wallmark
Valued Contributor

Hi,

 

You have probably enabled NAT on the incoming firewall policy.

Untick NAT in the policy and you will get the correct IPs.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
paleshire

That did it. Thank you very much.

:)

 

One other question. When the connection is made to the server from a machine on the LAN but addressing the WAN of our network, is there a way to preserve the IP of the source in this case and not get the gateway address?

 

The machines that are connecting locally are all getting their local IP addresses replaced by the gateway's address. Same as before but from the LAN instead of the WAN. It is also the same policy that has ALL incoming interfaces and LAN as an outgoing interface with NAT disabled.

 

Thank you,

 Preston

Labels
Top Kudoed Authors