Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

FORTIGATE 110C FTP OVER SSL/TLS

Hi everyone, We are facing a problem with ftp connection over SSL/TLS. Indeed we manage to access over " normal FTP" but wle doing it over SSL we get correctly authentificated but the list command failed with a timeout. The ftp mode is " passive" and the range of data port is 55300 to 55400. The command port is 10021 Anyone has ever faced this problem? Thx
3 REPLIES 3
Not applicable

I' ve had the same issues in the past and it occurs when you' re proxying the FTP control traffic for scanning purposes. The command sent by the client is received by the firewall/proxy in a garbled manner so it discards it as rubbish and it doesn' t get sent to the actual FTP server. As my understanding goes... The only way I ever got past this was to disable any form of FTP control traffic proxying/inspection. For FTP over explicit SSL (you declare your desire to encrypt), as the connection is set up, it begins life unencrypted with your username and password, then you send a command that says please encrypt, you get a challenge/certificate, accept it and then your FTP client issues the LIST command, which is encrypted. The firewall/proxy receives a packet on port 21 that means nothing to it and it gets discarded because it' s encrypted. Given that you' re having this problem, I guess this is the same issue with the Fortigate so ensure that there is no protection profile interfering with the control traffic on port 21 - just pass it as TCP/21 without scanning it. Generally it is only command traffic anyway and doesn' t contain data, that' s what your passive range is for. HTH. As I said, this is my interpretation of the issue since I had to resolve the issue for clients connecting to our FTP explicit SSL server. They were proxying/scanning the FTP traffic which worked fine when unencrypted but fell over as soon as it was encrypted. Simply using a standard unencrypted TCP port instead of a proxied/scannable port resolved the issue for them.
TopJimmy
New Contributor

are you using " deep scanning" on your unit in the protection profile? If so, try disabling it (build a new PP to test with) and see if that works.
-TJ
-TJ
Linda
New Contributor

The command port is 10021
------change session-helper on ftp to port 10021 or try using active mode.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors