Skip to Content

FileZilla Client and FortiGate FTP Session Helper in Passive Mode

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes the behavior of FTP traffic Passive Mode when using FileZilla Client and FTP Server behind FortiGate.

Scope

FileZilla Client v3.67.1, FortiGate v7.4.x.

Solution

The scenario is FTP Client is located externally and wants to access the internal FTP Server behind FortiGate:

FTP Client (10.253.0.17) --- Internet --- VIP 10.47.3.179 (FortiGate) -- FTP Server 10.171.2.142

config firewall VIP
edit "FTP"
set extip 10.47.3.179
set mappedip "10.171.2.142"
set extintf "any"
next
end

With FTP Session Helper, FortiGate will translate the ‘Passive IP address’ on the FTP packet to the external IP Address:

config system session-helper
edit 9
set name FTP
set protocol 6
set port 21
next
end

With FTP Session Helper, FortiGate will translate the 'Passive IP address' on the FTP packet to the external IP Address.

This way, the FileZilla Client can send the data using the external IP address of the FTP Server. Without FTP Session Helper, the ‘Passive IP address’ field will still be the local IP Address.

This way, the FileZilla Client can send the data using the external IP address of the FTP Server. Without FTP Session Helper, the 'Passive IP address' field will still be the local IP Address.

The Data transfer will fail because FortiGate will not allow incoming FTP traffic directly to private IP Addresses. There is a setting on FileZilla Client to use the Server’s external IP Address. But seems not to be enforced. FileZilla Client is still trying to connect to the private IP address of the FTP Server.

The Data transfer will fail because FortiGate will not allow incoming FTP traffic directly to private IP Addresses. There is a setting on FileZilla Client to use the Server's external IP Address. But seems not to be enforced. FileZilla Client is still trying to connect to the private IP address of the FTP Server.