Menu

Fortigate FTP Session-helper


I would like to share a case we had involving a fortigate firewall, the scenario was very simple,
Two ftp servers connected to the DMZ port of a fortigate firewall, one is working on port 21 the other on 20,
The server that works on port 20 was working on FTP passive mode.
The server that works on port 21 has no problems, but the one on port 20 is unable to pass data, gets a timeout when trying to run list command.
I have configured same scheme in my lab and ran the test without any configuration changes, here is the results

#ftp -d ftp.networklabs.info 20
220-FileZilla Server version 0.9.40 beta
Name: ftp_usr
331 Password required for ftp_usr
Password:
---> PASS XXXX
230 Logged on
cmds.c:276: verbose=1 debug=1 overbose=1
---> SYST
215 UNIX emulated by FileZilla
Remote system type is UNIX.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Entering Passive Mode

And this is how far it got.

To fix it, use the CLI of the forti and add
Fortigate # show system session-helper 21
config system session-helper
    edit 21
        set name ftp
        set port 20
        set protocol 6
    next
end

after adding the following I reran the test and got the following result :

#ftp -d ftp.networklabs.info 20
220-FileZilla Server version 0.9.40 beta
Name: ftp_usr
331 Password required for ftp_usr
Password:
---> PASS XXXX
230 Logged on
cmds.c:276: verbose=1 debug=1 overbose=1
---> SYST
215 UNIX emulated by FileZilla
Remote system type is UNIX.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Entering Passive Mode
---> LIST
150 Connection accepted
drwxr-xr-x 1 ftp ftp              0 Feb 17 20:02 My Folder
226 Transfer OK

The reason for the issue is the fact that working with passive mode the data packets are transmitted on random ports (1024 and above) and the firewall does not know it's related to the previous port 20 traffic, and all the session helper does is "help" the firewall understand the traffic is related to the existing session.



 Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N

LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR
By

5 comments:

  1. tony244205 October, 2013 03:07

    THANK YOU!!!

    I spent over an hour w/Fortigate Tech Support trying to resolve this issue when I finally showed them this AND IT WORKED!

    ReplyDelete
  2. Tony (trailname to come)10 June, 2015 07:18

    We are suffering severe FTP upload speed issues through the fortigate 200D. Tried this and a few other google tidbits to no avail...

    ReplyDelete
  3. Naveed Quadri05 August, 2015 12:14

    Thankyou for this.... This was brilliant :) ....

    ReplyDelete
  4. Dude-Art17 August, 2016 10:03

    Hey Anthony,
    we have as well a FTP Speed Problem! We go through all Ports with iperf and the speed on port 21 was the slowest! i'm in contact with forti, but its terrible!
    di you solve the problem? raffa

    ReplyDelete
  5. Unknown11 September, 2019 16:28

    SUPER! Many thanks for this:) it works.

    ReplyDelete

Subscribe to: Post Comments (Atom)