Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DanieleS99
Contributor

Created on ‎09-06-2023 01:21 AM

Fortigate and filezilla in active mode

Hi,

I want to understand what is the right behavior of the Fortigate in a scenario where I have an FTP server and a filezilla client that use the "ACTIVE" mode.

the client is on the INSIDE interface and the FTP server is in DMZ.

I create a rule for allow the traffic from INSIDE to port 21 in DMZ.

Do i need a rule from DMZ to INSIDE? I see that FTP server use source port 20 and client destination port random >1024.

 

 

Labels:
4042
0 Kudos
6 REPLIES 6
vsahu
Staff
Staff

Created on ‎09-06-2023 03:53 AM

Hello DanieleS99,

 

Please check the below guide.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Allowing-FTPs-over-FortiGate-FTPs-sFTP-SFT...

Yes in active mode you've to explicitly open the FTP port communication from server to client otherwise it will not work.

 

Regards,
Vishal
4022
0 Kudos
spoojary
Staff
Staff

Created on ‎09-06-2023 05:30 AM

In a scenario with an FTP server in the DMZ and an FTP client on the INSIDE using active mode, you should:

  1. Allow outbound traffic from the INSIDE to the DMZ on port 21 (FTP control channel).
  2. Enable the FTP session helper on your FortiGate firewall to automatically handle related data channel connections.

You generally don't need explicit rules for the FTP server to initiate connections back to the client on high-numbered ports. The FTP session helper should manage this for you.

Siddhanth Poojary
4014
0 Kudos
DanieleS99
Contributor
In response to spoojary

Created on ‎09-06-2023 05:53 AM

How Can I enable the FTP session helper? Or how Can I verify that is enabled and in working? I tried to search in internet without results..

Thanks

4010
0 Kudos
hbac
Staff
Staff
In response to DanieleS99

Created on ‎09-06-2023 08:50 AM

Hi @DanieleS99

 

You can run the following commands to verify. It should be enabled by default: 

# show full system session-helper | grep ftp -f

# show full firewall service custom | grep FTP -f

 

Regards, 

3979
0 Kudos
DanieleS99
Contributor
In response to hbac

Created on ‎09-06-2023 08:59 AM

Ok, I saw that is enabled.

So, I think that It's not working properly because I already have a policy from INSIDE to DMZ, but the traffic from DMZ to INSIDE is blocked... 

3977
0 Kudos
DanieleS99
Contributor
In response to hbac

Created on ‎09-13-2023 03:50 AM Edited on ‎09-13-2023 03:51 AM

In the end I understand that the FTP traffic is encrypted in TLS, so I must search a way to activate the ftp session-helper correctly in this case.

3903
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.