Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Filip011
New Contributor

Created on ‎11-28-2019 01:52 AM

FTP from inside to outside not working

Hello,

 

I have a Fortigate firewall with inside and outside interface. My LAN to WAN policy allows HTTP, HTTPS and DNS. Now there is a requirement to allow LAN users to connect to external FTP servers. If under policy I add FTP, it won't connect to the external FTP server. If I change the policy to All, I can connect. I tried adding all FTP related services and even TFTP with no luck.

What am I doing wrong?

 

Thanks.

4407
0 Kudos
6 REPLIES 6
Filip011
New Contributor

Created on ‎11-28-2019 01:55 AM

Except if they changed the default port 21 on their side and are using a different one without telling me.

3506
0 Kudos
Eleguardini
New Contributor II
In response to Filip011

Created on ‎11-28-2019 02:13 AM

Hi,

is it that maybe the policies are in the wrong order?

You should have first the policy for the ftp server (source: lan, destination: ip server) and then the policy that allows internet connection (source: lan, destination: all). Otherwise, if they are in the opposite order, all the traffic will end up in the second policy I mentioned where the ftp is not allowed.

 

3506
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to Eleguardini

Created on ‎11-28-2019 02:20 AM

@Eleguardini: this is not true in every case. Imagine policy 1 allows "HTTP, HTTPS, someother". Then FTP traffic will not match and fall through to policy 2 (which allows FTP).

 

But you're right in general, the most specific policy needs to be topmost. Matching criteria are all of source interface and addr, dest interface and addr, service, schedule, and action.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3506
0 Kudos
Filip011
New Contributor
In response to Eleguardini

Created on ‎11-28-2019 02:31 AM

I didn't select specific policy. I added FTP service to the LAN to WAN policy. From LAN any to WAN any. So I don't think hat is the problem.

3506
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to Filip011

Created on ‎11-28-2019 02:43 AM

Then you shouldn't have any problem.

Have a look at FortiView>Policies, and check which kind of traffic passes either this policy or policy 0 (the implicit DenyAll policy). This will give you a clue which ports need to be open.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3506
0 Kudos
Filip011
New Contributor
In response to ede_pfau

Created on ‎11-28-2019 03:52 AM

I know I shouldn't have any problems. That's why I opened this thread :)

3506
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.