Hello.
I've got a small issue, I cannot connect to an external FTPS server which use 21 port for PASV and dynamic from 50000 to 55000. I've tried to use session-helper, and also this workaround with inverted directions: http://kb.fortinet.com/kb/documentLink.do?externalID=FD32835
but it always timeouts. Is there any feature for this or procedure how to pass this traffic? On the firewall policies for this testing I allow all traffic (ANY services) on both directions.
Thanks in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Create a new policy to the FTPS server without SSL Inspection and move it above the existing policy.
Does the issue disappear with that?
Hello. I've tried like this:
fromif: LAN
toif: ISP
src: all
dst: ftps_server
service: all
permit
rest disabled
fromif: ISP
toif: LAN
src: ftps_server
dst: all
service: all
permit
rest disabled
But it don't work
I can see that the policy LAN->ISP is generating packets, but ISP->LAN doesn't. So it is the case of session-helper?
tturba wrote:Yes and no.I can see that the policy LAN->ISP is generating packets, but ISP->LAN doesn't. So it is the case of session-helper?
You don't need a ISP > LAN policy at all. The connection is established from the internal network.
I've disabled this policy as you mention. Can I verify/debug somehow where's the problem when I try to connect to the FTPS server address?
tturba wrote:Have you created a FTPS policy from LAN to external without SSL Inspection and does it work?I've disabled this policy as you mention. Can I verify/debug somehow where's the problem when I try to connect to the FTPS server address?
Hello, I've created a policy for FTPS address like this:
incoming if: lan
src addr: all
outgoing if: wan
dst addr: ftps_server
service: all
no nat
no utm (ssl disabled)
permit
Not working...
tturba wrote:If you are going to external you are going to need NAT...Hello, I've created a policy for FTPS address like this:
incoming if: lan
src addr: all
outgoing if: wan
dst addr: ftps_server
service: all
no nat
no utm (ssl disabled)
permit
Not working...
I've tried that with "enable NAT and use outgoing IF address", should I use Fixed port or "Use Dynamic IP Pool" - I think not.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.