Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

FTP Passive problem

Hello, I am having a problem where I cannot FTP in passive mode using an external IP to my FTP server behind the Fortigate 60B. When I FTP using the internal IP address the FTP works fine to the FTP server. The first item I noticed is when I use a FTP client the passive port range is not being used. I have used several different FTP clients such as WSFTP and Filezilla. If I eliminate the Fortigate the FTP works fine. The following is an example of the FTP external IP failure: PASV 227 Entering Passive Mode (208,xx,xx,66,132,187) connecting to 208.xx.xx.66:33979 - - connecting to 208.xx.xx.66:33979 ! Connection failed 208.xx.xx.66 - connection timed out ! connect: error 0 When it times out the FTP shifts into regular FTP and works fine. The fact that the login works and I get this far tells me the the FTP port is open. This following is an example when the FTP works using the internal IP address. PASV 227 Entering Passive Mode (208,xx,xx,66,92,28) connecting to 208.xx.xx.66:23580 - - connecting to 208.xx.xx.66:23580 Connected to 208.xx.xx.66 port 23580 This FTP works fine and it is using the FTP passive port range (23580-23590) that I assigned to the serv-u FTP server. My experineces with other routers is I have to open ports with port forwarding. I am not sure if this is the case with the Fortigate. Any guidence would be most welcome. Thank You, Joe
14 REPLIES 14
Not applicable

Hello, Thank you for asking. I looked at the IB policy and NAT is unchecked. Let me know if you want me to check anything else. Joe
Not applicable

Hello, I have been reading several post on this forum and found out that people with FTP problems in the past were using the following KB to fix the problem http://kc.forticare.com/default.asp?id=1765&Lang=1&SID= But, when I create the VIP with port fowarding and then test the FTP the FTP fails all the time. When I eliminate the port fowarding section of the VIP the FTP will still work in regular mode. I guess my question is am I missing something else? My custom service is setup with TCP 23580-23590 for both the source and destination ports. And when I tried the port fowarding in the VIP I put in the same port numbers. Thanks Joe
rwpatterson
Valued Contributor III

Source ports should always be at least 1024-65535 (for most standard, non-secure protocols). Some folks use 1-65535.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

Hello, Thank you for the reply. I tried the range of 1024-65535 and I still have the same darn problem of no connection when I use the port forwarding option. When I get rid of the port forwarding then PASV does not work but regular FTP works. Joe
Not applicable

Don' t know if the problem is already solved but in my case the problem was the session helper - it manipulates the data stream so another port is sent back to the ftp server. for me it helped to tell the session helper for ftp to use another port than 21, so I told him to watch for ftp data on port 212 and since I' ve done this change the data sent to my firewall is passed through 1:1 and nothing is changed in the datastream :) If you need help to change the port number of the session helper please take a look at page 447 in the CLI reference. Hope this helps! mfg, Roland
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors