- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cannot connect to FTPS server outside
Hello.
I've got a small issue, I cannot connect to an external FTPS server which use 21 port for PASV and dynamic from 50000 to 55000. I've tried to use session-helper, and also this workaround with inverted directions: http://kb.fortinet.com/kb/documentLink.do?externalID=FD32835
but it always timeouts. Is there any feature for this or procedure how to pass this traffic? On the firewall policies for this testing I allow all traffic (ANY services) on both directions.
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a new policy to the FTPS server without SSL Inspection and move it above the existing policy.
Does the issue disappear with that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello. I've tried like this:
fromif: LAN
toif: ISP
src: all
dst: ftps_server
service: all
permit
rest disabled
fromif: ISP
toif: LAN
src: ftps_server
dst: all
service: all
permit
rest disabled
But it don't work
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can see that the policy LAN->ISP is generating packets, but ISP->LAN doesn't. So it is the case of session-helper?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tturba wrote:Yes and no.I can see that the policy LAN->ISP is generating packets, but ISP->LAN doesn't. So it is the case of session-helper?
You don't need a ISP > LAN policy at all. The connection is established from the internal network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've disabled this policy as you mention. Can I verify/debug somehow where's the problem when I try to connect to the FTPS server address?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tturba wrote:Have you created a FTPS policy from LAN to external without SSL Inspection and does it work?I've disabled this policy as you mention. Can I verify/debug somehow where's the problem when I try to connect to the FTPS server address?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I've created a policy for FTPS address like this:
incoming if: lan
src addr: all
outgoing if: wan
dst addr: ftps_server
service: all
no nat
no utm (ssl disabled)
permit
Not working...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tturba wrote:If you are going to external you are going to need NAT...Hello, I've created a policy for FTPS address like this:
incoming if: lan
src addr: all
outgoing if: wan
dst addr: ftps_server
service: all
no nat
no utm (ssl disabled)
permit
Not working...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've tried that with "enable NAT and use outgoing IF address", should I use Fixed port or "Use Dynamic IP Pool" - I think not.