- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FTP Connection
Hi,
I'm having an issue with establishing an FTP connection through my Fortigate 600c running FortiOS 5.4.
I have the Session Helper configured:
set name ftp
set protocol 6
set port 21
And a policy configured:
set name "Internet to FTP Server"
set srcintf "External"
set dstintf "local"
set srcaddr "all"
set dstaddr "VIP for FTP"
set action accept
set schedule "always"
set service "FTP Services" (Also tried "ALL")
"FTP Services" has all members for "FTP"
edit "FTP Services"
set member "FTP" "FTP_GET" "FTP_PUT"
next
But I cannot establish an FTP Connection. I can connect to the server, but there is no data transfer (i.e. to get directory listing). Here is a log from FileZilla
Status: Disconnected from server
Status: Connecting to <Correct Fortigate IP Address>:21...
Status: Connection established, waiting for welcome message...
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/<valid directory>" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PORT <Local IP address>,237,96
Response: 501 Server cannot accept argument.
Command: PASV
Response: 227 Entering Passive Mode (<Correct Fortigate IP Address>,244,251).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Status: Disconnected from server
Status: Connecting to <Correct Fortigate IP Address>:21...
Status: Connection established, waiting for welcome message...
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/<valid directory>" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PORT <local IP>,237,99
Response: 501 Server cannot accept argument.
Command: PASV
Response: 227 Entering Passive Mode (<Correct Fortigate IP Address>,244,252).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Does anyone have any idea what I am missing?
Thanks
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shot in the dark, but does your security policy for FTP have NAT turned on?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am sure the following URL will help you understand what gets to be done in order to fix this issue.
Ref. http://slacksite.com/other/ftp.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mstoyanoff wrote:I am sure the following URL will help you understand what gets to be done in order to fix this issue.
Ref. http://slacksite.com/other/ftp.html
Really? No, that is not helpful at all. I know how FTP works in its essence, but everything I have read so far indicates that on the fortigate I should only need to open port 21 to my server, and session helpers will open the other ports as required for passive FTP, and active FTP should work regardless right (I may have that wrong). If you read the logs in my original post then you'll see that neither active nor passive FTP traffic is passing through.
The question was and remains, what configuration on the fortigate am I missing to allow FTP to work as I have configured as per all the posts I have read, but it's not working so I must be missing something.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the FTP work from the inside (the LAN)?
Are the FTP services the default or are they custom?
Is there another policy before this one that may be grabbing the traffic and denying it?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rwpatterson wrote:Does the FTP work from the inside (the LAN)?
Are the FTP services the default or are they custom?
Is there another policy before this one that may be grabbing the traffic and denying it?
Yes the FTP works from within the LAN. Including from a different network segment that routes through the fortigate but has an allow all rule (i.e. 192.168.0.x -> 192.168.1.x).
The FTP Services are default.
I have no deny policies other than the default deny all as the last rule.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An update if it helps anyone help me resolve this issue. Even if the services in the policy are set to "All" I still can't get a connection.
VIPs for other services (such as Http/Https etc) work, fine, but this indicates there might be something wrong with the VIP configuration? Just grasping at straws I guess, but is there any specific configuration required for VIP to support FTP or Session Helpers?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shot in the dark, but does your security policy for FTP have NAT turned on?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tanr wrote:Shot in the dark, but does your security policy for FTP have NAT turned on?
Well ... no. But I marked your post as helpful as it was the most helpful response. I have found the problem and I'm feeling rather silly. The Server firewall was blocking FTP Passive traffic from the internet, internally it was working as there is an allow all from my internal network. So the issue wasn't with the Fortigate at all.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the follow up. It may help someone else in the future. Glad you resolved it.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com