Hi,
I'm having an issue with establishing an FTP connection through my Fortigate 600c running FortiOS 5.4.
I have the Session Helper configured:
set name ftp
set protocol 6
set port 21
And a policy configured:
set name "Internet to FTP Server"
set srcintf "External"
set dstintf "local"
set srcaddr "all"
set dstaddr "VIP for FTP"
set action accept
set schedule "always"
set service "FTP Services" (Also tried "ALL")
"FTP Services" has all members for "FTP"
edit "FTP Services"
set member "FTP" "FTP_GET" "FTP_PUT"
next
But I cannot establish an FTP Connection. I can connect to the server, but there is no data transfer (i.e. to get directory listing). Here is a log from FileZilla
Status: Disconnected from server
Status: Connecting to <Correct Fortigate IP Address>:21...
Status: Connection established, waiting for welcome message...
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/<valid directory>" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PORT <Local IP address>,237,96
Response: 501 Server cannot accept argument.
Command: PASV
Response: 227 Entering Passive Mode (<Correct Fortigate IP Address>,244,251).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Status: Disconnected from server
Status: Connecting to <Correct Fortigate IP Address>:21...
Status: Connection established, waiting for welcome message...
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/<valid directory>" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PORT <local IP>,237,99
Response: 501 Server cannot accept argument.
Command: PASV
Response: 227 Entering Passive Mode (<Correct Fortigate IP Address>,244,252).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Does anyone have any idea what I am missing?
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Shot in the dark, but does your security policy for FTP have NAT turned on?
I am sure the following URL will help you understand what gets to be done in order to fix this issue.
Ref. http://slacksite.com/other/ftp.html
mstoyanoff wrote:I am sure the following URL will help you understand what gets to be done in order to fix this issue.
Ref. http://slacksite.com/other/ftp.html
Really? No, that is not helpful at all. I know how FTP works in its essence, but everything I have read so far indicates that on the fortigate I should only need to open port 21 to my server, and session helpers will open the other ports as required for passive FTP, and active FTP should work regardless right (I may have that wrong). If you read the logs in my original post then you'll see that neither active nor passive FTP traffic is passing through.
The question was and remains, what configuration on the fortigate am I missing to allow FTP to work as I have configured as per all the posts I have read, but it's not working so I must be missing something.
Thanks
Does the FTP work from the inside (the LAN)?
Are the FTP services the default or are they custom?
Is there another policy before this one that may be grabbing the traffic and denying it?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson wrote:Does the FTP work from the inside (the LAN)?
Are the FTP services the default or are they custom?
Is there another policy before this one that may be grabbing the traffic and denying it?
Yes the FTP works from within the LAN. Including from a different network segment that routes through the fortigate but has an allow all rule (i.e. 192.168.0.x -> 192.168.1.x).
The FTP Services are default.
I have no deny policies other than the default deny all as the last rule.
An update if it helps anyone help me resolve this issue. Even if the services in the policy are set to "All" I still can't get a connection.
VIPs for other services (such as Http/Https etc) work, fine, but this indicates there might be something wrong with the VIP configuration? Just grasping at straws I guess, but is there any specific configuration required for VIP to support FTP or Session Helpers?
Shot in the dark, but does your security policy for FTP have NAT turned on?
tanr wrote:Shot in the dark, but does your security policy for FTP have NAT turned on?
Well ... no. But I marked your post as helpful as it was the most helpful response. I have found the problem and I'm feeling rather silly. The Server firewall was blocking FTP Passive traffic from the internet, internally it was working as there is an allow all from my internal network. So the issue wasn't with the Fortigate at all.
Thank you for the follow up. It may help someone else in the future. Glad you resolved it.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.