I want to understand what is the right behavior of the Fortigate in a scenario where I have an FTP server and a filezilla client that use the "ACTIVE" mode.
the client is on the INSIDE interface and the FTP server is in DMZ.
I create a rule for allow the traffic from INSIDE to port 21 in DMZ.
Do i need a rule from DMZ to INSIDE? I see that FTP server use source port 20 and client destination port random >1024.
Please check the below guide.
Yes in active mode you've to explicitly open the FTP port communication from server to client otherwise it will not work.
In a scenario with an FTP server in the DMZ and an FTP client on the INSIDE using active mode, you should:
You generally don't need explicit rules for the FTP server to initiate connections back to the client on high-numbered ports. The FTP session helper should manage this for you.
How Can I enable the FTP session helper? Or how Can I verify that is enabled and in working? I tried to search in internet without results..
You can run the following commands to verify. It should be enabled by default:
# show full system session-helper | grep ftp -f
# show full firewall service custom | grep FTP -f
Ok, I saw that is enabled.
So, I think that It's not working properly because I already have a policy from INSIDE to DMZ, but the traffic from DMZ to INSIDE is blocked...
In the end I understand that the FTP traffic is encrypted in TLS, so I must search a way to activate the ftp session-helper correctly in this case.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.