Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Filip011
New Contributor

FTP from inside to outside not working

Hello,

 

I have a Fortigate firewall with inside and outside interface. My LAN to WAN policy allows HTTP, HTTPS and DNS. Now there is a requirement to allow LAN users to connect to external FTP servers. If under policy I add FTP, it won't connect to the external FTP server. If I change the policy to All, I can connect. I tried adding all FTP related services and even TFTP with no luck.

What am I doing wrong?

 

Thanks.

6 REPLIES 6
Filip011
New Contributor

Except if they changed the default port 21 on their side and are using a different one without telling me.

Eleguardini

Hi,

is it that maybe the policies are in the wrong order?

You should have first the policy for the ftp server (source: lan, destination: ip server) and then the policy that allows internet connection (source: lan, destination: all). Otherwise, if they are in the opposite order, all the traffic will end up in the second policy I mentioned where the ftp is not allowed.

 

ede_pfau
Esteemed Contributor III

@Eleguardini: this is not true in every case. Imagine policy 1 allows "HTTP, HTTPS, someother". Then FTP traffic will not match and fall through to policy 2 (which allows FTP).

 

But you're right in general, the most specific policy needs to be topmost. Matching criteria are all of source interface and addr, dest interface and addr, service, schedule, and action.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Filip011

I didn't select specific policy. I added FTP service to the LAN to WAN policy. From LAN any to WAN any. So I don't think hat is the problem.

ede_pfau
Esteemed Contributor III

Then you shouldn't have any problem.

Have a look at FortiView>Policies, and check which kind of traffic passes either this policy or policy 0 (the implicit DenyAll policy). This will give you a clue which ports need to be open.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Filip011

I know I shouldn't have any problems. That's why I opened this thread :)

Labels
Top Kudoed Authors