Monday, September 15, 2008

Active FTP on non-standard Ports

When you use active ftp the FortiOS session helper keeps track of the connections you open. It then permits the ftp server you are connecting with to actively open a connection back to your client program. This works well as long as you use FTP on its standard TCP port which is 21. If you have an application which needs to open active FTP connections on a port other than 21 you need to add additional session helpers. Here is how you do it on the command line:

config system session-helper
show (this lists all the helpers configured. Note the last edit, in this example "edit 11")

** snip **
edit 10
set name sip
set port 5060
set protocol 17
edit 11
set name dns-udp
set port 53
set protocol 17

edit 12 (the number you use here should be the last edit + 1)
set name ftp
set port 999 (in this example the application uses ftp on port 999, substitute your port number here)
set protocol 6

In the above example we are configuring the firewall to listen on port 999 and treat connections on this port as active FTP.

1 comment:

Sudarsan said...

I have fortigate 60B, I am not able to connect some of the ftp sites ( which is a secure SSL ) but I am able to connect other FTP sites without any problem. Do I need to configure anything in the firewall in order to connect those secure sites through FTP?