Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
paleshire
New Contributor

Created on ‎02-01-2016 03:21 PM

Configuring FTP and SFTP

Hello,

  I'm new here and have been using a Fortigate 100d for just a few days now. I'm trying to figure out how to properly configure the inbound ports for FTP and SFTP  traffic as well as other types of traffic. I have them coming through and have policies setup as well as services and virtual IPs. Everything is working except for one hitch.

 

  When packets are forwarded to the FTP of SFTP server the source IP address from the machine connecting through the firewall is stripped out and the local IP address of the Fortinet replaces it. That means that all my SFTP and FTP logs are showing the default gateway address of 192.168.1.254.

 

  Is there a way to preserve the WAN IP of the sender in the packets?

 

  Thank you for any help you can give. It is appreciated. :)

 

Labels:
21145
0 Kudos
2 REPLIES 2
Carl_Wallmark
Valued Contributor

Created on ‎02-01-2016 10:40 PM

Hi,

 

You have probably enabled NAT on the incoming firewall policy.

Untick NAT in the policy and you will get the correct IPs.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
8145
0 Kudos
paleshire
New Contributor
In response to Carl_Wallmark

Created on ‎02-03-2016 06:31 AM

That did it. Thank you very much.

:)

 

One other question. When the connection is made to the server from a machine on the LAN but addressing the WAN of our network, is there a way to preserve the IP of the source in this case and not get the gateway address?

 

The machines that are connecting locally are all getting their local IP addresses replaced by the gateway's address. Same as before but from the LAN instead of the WAN. It is also the same policy that has ALL incoming interfaces and LAN as an outgoing interface with NAT disabled.

 

Thank you,

 Preston

8145
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.