Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DanieleS99
New Contributor III

Fortigate and filezilla in active mode

Hi,

I want to understand what is the right behavior of the Fortigate in a scenario where I have an FTP server and a filezilla client that use the "ACTIVE" mode.

the client is on the INSIDE interface and the FTP server is in DMZ.

I create a rule for allow the traffic from INSIDE to port 21 in DMZ.

Do i need a rule from DMZ to INSIDE? I see that FTP server use source port 20 and client destination port random >1024.

 

 

6 REPLIES 6
vsahu
Staff
Staff

Hello DanieleS99,

 

Please check the below guide.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Allowing-FTPs-over-FortiGate-FTPs-sFTP-SFT...

Yes in active mode you've to explicitly open the FTP port communication from server to client otherwise it will not work.

 

Regards,
Vishal
spoojary
Staff
Staff

In a scenario with an FTP server in the DMZ and an FTP client on the INSIDE using active mode, you should:

  1. Allow outbound traffic from the INSIDE to the DMZ on port 21 (FTP control channel).
  2. Enable the FTP session helper on your FortiGate firewall to automatically handle related data channel connections.

You generally don't need explicit rules for the FTP server to initiate connections back to the client on high-numbered ports. The FTP session helper should manage this for you.

Siddhanth Poojary
DanieleS99
New Contributor III

How Can I enable the FTP session helper? Or how Can I verify that is enabled and in working? I tried to search in internet without results..

Thanks

hbac

Hi @DanieleS99

 

You can run the following commands to verify. It should be enabled by default: 

# show full system session-helper | grep ftp -f

# show full firewall service custom | grep FTP -f

 

Regards, 

DanieleS99
New Contributor III

Ok, I saw that is enabled.

So, I think that It's not working properly because I already have a policy from INSIDE to DMZ, but the traffic from DMZ to INSIDE is blocked... 

DanieleS99
New Contributor III

In the end I understand that the FTP traffic is encrypted in TLS, so I must search a way to activate the ftp session-helper correctly in this case.

Top Kudoed Authors