Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Brent
New Contributor

FTP Connection

Hi, 

 

I'm having an issue with establishing an FTP connection through my Fortigate 600c running FortiOS 5.4.

 

I have the Session Helper configured:

set name ftp
set protocol 6
set port 21

 

And a policy configured:

set name "Internet to FTP Server"
set srcintf "External"
set dstintf "local"
set srcaddr "all"
set dstaddr "VIP for FTP"
set action accept
set schedule "always"
set service "FTP Services" (Also tried "ALL")

"FTP Services" has all members for "FTP"

edit "FTP Services"
set member "FTP" "FTP_GET" "FTP_PUT"
next

 

But I cannot establish an FTP Connection.  I can connect to the server, but there is no data transfer (i.e. to get directory listing).  Here is a log from FileZilla

 

Status: Disconnected from server
Status: Connecting to <Correct Fortigate IP Address>:21...
Status: Connection established, waiting for welcome message...
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/<valid directory>" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PORT <Local IP address>,237,96
Response: 501 Server cannot accept argument.
Command: PASV
Response: 227 Entering Passive Mode (<Correct Fortigate IP Address>,244,251).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Status: Disconnected from server
Status: Connecting to <Correct Fortigate IP Address>:21...
Status: Connection established, waiting for welcome message...
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/<valid directory>" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PORT <local IP>,237,99
Response: 501 Server cannot accept argument.
Command: PASV
Response: 227 Entering Passive Mode (<Correct Fortigate IP Address>,244,252).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing

 

Does anyone have any idea what I am missing?

 

Thanks

1 Solution
tanr
Valued Contributor II

Shot in the dark, but does your security policy for FTP have NAT turned on?

View solution in original post

8 REPLIES 8
packetpusher
Contributor

I am sure the following URL will help you understand what gets to be done in order to fix this issue. 

Ref. http://slacksite.com/other/ftp.html

 

Brent

mstoyanoff wrote:

I am sure the following URL will help you understand what gets to be done in order to fix this issue. 

Ref. http://slacksite.com/other/ftp.html

 

Really?  No, that is not helpful at all.  I know how FTP works in its essence, but everything I have read so far indicates that on the fortigate I should only need to open port 21 to my server, and session helpers will open the other ports as required for passive FTP, and active FTP should work regardless right (I may have that wrong).  If you read the logs in my original post then you'll see that neither active nor passive FTP traffic is passing through.

 

The question was and remains, what configuration on the fortigate am I missing to allow FTP to work as I have configured as per all the posts I have read, but it's not working so I must be missing something.

 

Thanks

rwpatterson
Valued Contributor III

Does the FTP work from the inside (the LAN)?

Are the FTP services the default or are they custom?

Is there another policy before this one that may be grabbing the traffic and denying it?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Brent

rwpatterson wrote:

Does the FTP work from the inside (the LAN)?

Are the FTP services the default or are they custom?

Is there another policy before this one that may be grabbing the traffic and denying it?

Yes the FTP works from within the LAN.  Including from a different network segment that routes through the fortigate but has an allow all rule (i.e. 192.168.0.x -> 192.168.1.x).

 

The FTP Services are default.

 

I have no deny policies other than the default deny all as the last rule.

Brent
New Contributor

An update if it helps anyone help me resolve this issue.  Even if the services in the policy are set to "All" I still can't get a connection.

 

VIPs for other services (such as Http/Https etc) work, fine, but this indicates there might be something wrong with the VIP configuration?  Just grasping at straws I guess, but is there any specific configuration required for VIP to support FTP or Session Helpers?

tanr
Valued Contributor II

Shot in the dark, but does your security policy for FTP have NAT turned on?

Brent
New Contributor

tanr wrote:

Shot in the dark, but does your security policy for FTP have NAT turned on?

Well ... no.  But I marked your post as helpful as it was the most helpful response.  I have found the problem and I'm feeling rather silly.  The Server firewall was blocking FTP Passive traffic from the internet, internally it was working as there is an allow all from my internal network.  So the issue wasn't with the Fortigate at all.

rwpatterson
Valued Contributor III

Thank you for the follow up. It may help someone else in the future. Glad you resolved it.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Top Kudoed Authors