Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MitchK
New Contributor

Passive FTP-Custom Service?

On my Fortigate 300A, I have an FTP server with internal addressing on an internal interface. I set up a VIP with an external (internet routable) IP address so that users on the internet can access the server. The firewall rule specifies only " FTP" as the service. Things were working well, until someone pointed out that when a user switches to passive FTP, they get a response from the server using its internal address. Obviously, I don' t want this to happen. Is the reason that my rule only includes garden-variety FTP? I don' t see a pre-defined service for passive FTP. If I change my rule to service " ANY" will that solve the issue? Thanks.
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
7 REPLIES 7
ede_pfau
SuperUser
SuperUser

No, it' s not the service definition. You just have to NAT outgoing traffic that is initiated by the server (in contrast to traffic replies). For active FTP, the VIP translates the source IP of reply traffic from your server to the VIP address. For passive ftp, you have to NAT the traffic manually. This is how: - create an " IP pool" with just one IP address, namely the VIP address (a.b.c.d/32) - edit the policy ' internal' ->' wan' which is used by your server to access the internet - check the NAT option, specify ' dynamic NAT' and choose the IP pool with the VIP address Depending on the protocol details passive ftp might use the ' wan' ->' internal' policy which uses the VIP instead of an outgoing policy. You can enable dynamic NAT on that policy as well, with no negative side effects.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
MitchK
New Contributor

Thanks Ede, sounds right...I implemented it.
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
MitchK
New Contributor

Ede, another question. I already had a rule for internal->external, All to All, service ANY, with " interface NAT" configured. Until now, it was the only outgoing rule. Why wouldn' t the external user have seen the external interface' s address, rather than the server' s actual internal address?
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
ede_pfau
SuperUser
SuperUser

That indicates that passive ftp uses the ' wan' ->' internal' policy, configure NAT here (see my post above). Anybody following this thread must think two woodchoppers are handling hi-tech equipment...what a Friday... edit: see here http://slacksite.com/other/ftp.html for the passive ftp protocol. Both active and passive ftp use the same incoming policy from WAN to server - so that' s where the NAT belongs to. Definitely.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
MitchK

Ede, because I AM a woodchopper, I will go over what I did. I created a custom service, FTP-PASV, delineating the port range allowed by my server. Then I added a rule in WAN->Internal: source=any destination=FTPserver (VIP) service=FTP-PASV I think that should do it. No?
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
ede_pfau
SuperUser
SuperUser

Good humor tackles everything. If you had included the definition for FTP-PASV I could' ve rated it. But FTP (default) should do.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
MitchK

Here it is. The destination port range is specified on the server. I' m not sure how default-FTP would do it. Although one is not permitted to see how that service is defined, is passive factored into it? If so, I don' t have to create this new service.
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors