This article describes the FTP active mode behavior in v7.0.x and v7.2.x in the scenario where FTP client > NAT device > (port3) Fortigate (port2) > FTP server.
The FTP client is not reachable from FortiGate which means traffic initiates from FortiGate cannot reach to FTP client.
Additionally, FortiGte has with FTP session helper enabled.
Table of Contents
Scope
FortiGate v7.0.x and v7.2.x
Solution
In FTP active mode with data exchange, the FTP client initiates the connection with a PORT command and makes the FTP server connect back for data exchange.
In FortiGate v7.0.14 (kernel 3.2), the expectation session inherited the DST (highlighted in blue) from the master session. When going down the fast path, it uses dst -> neighbor as the neigh to forward the SYN packet to even though there is no route found from FortiGate to FTP Client IP. Refer to FortiGate Port2 frame number 20 and FortiGate Port3 frame number 97. The syn packet gets forwarded.
FTP Client
The FTP client initiates the connection with a PORT command No. Time Source Src Port Destination Dst Port Protocol Length TCP Segment Len Info 17 0.000855 10.175.2.144 26482 10.176.1.12 21 FTP 81 27 Request: PORT 10,175,2,144,103,115 File Transfer Protocol (FTP) PORT 10,175,2,144,103,115\r\n Request command: PORT Request arg: 10,175,2,144,103,115 Active IP address: 10.175.2.144 Active port: 26483 18 0.002430 10.176.1.12 21 10.175.2.144 26482 FTP 83 29 Response: 200 Port command successful
The FTP server connects back to the FTP client for data exchange:
No. Time Source Src Port Destination Dst Port Protocol Length TCP Segment Len Info 20 0.007327 10.176.1.12 20 10.175.2.144 26483 TCP 66 0 20 → 26483 [SYN, ECE, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM 21 0.000575 10.175.2.144 26483 10.176.1.12 20 TCP 66 0 26483 → 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=128 SACK_PERM 22 0.000687 10.176.1.12 20 10.175.2.144 26483 TCP 54 0 20 → 26483 [ACK] Seq=1 Ack=1 Win=2102272 Len=0
NAT Device
Received and forwarded the FTP client connection with a PORT command 17 0.000882 10.174.2.190 26482 10.176.1.12 21 FTP 81 27 Request: PORT 10,175,2,144,103,115 PORT 10,175,2,144,103,115\r\n Request command: PORT Request arg: 10,175,2,144,103,115 Active IP address: 10.175.2.144 -> FTP client IP address Active port: 26483 Active IP NAT: True -> This is indicated NATed 18 0.002402 10.176.1.12 21 10.174.2.190 26482 FTP 83 29 Response: 200 Port command successful 20 0.007267 10.176.1.12 20 10.175.2.144 26483 TCP 66 0 20 → 26483 [SYN, ECE, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM 21 0.000647 10.175.2.144 26483 10.176.1.12 20 TCP 66 0 26483 → 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=128 SACK_PERM 22 0.000648 10.176.1.12 20 10.175.2.144 26483 TCP 54 0 20 → 26483 [ACK] Seq=1 Ack=1 Win=2102272 Len=0
FortiGate Port3
Received and forwarded the FTP client connection with a PORT command 94 0.001186 10.174.2.190 26482 10.176.1.12 21 FTP 81 27 Request: PORT 10,175,2,144,103,115 PORT 10,175,2,144,103,115\r\n Request command: PORT Request arg: 10,175,2,144,103,115 Active IP address: 10.175.2.144 Active port: 26483 Active IP NAT: True 95 0.002149 10.176.1.12 21 10.174.2.190 26482 FTP 83 29 Response: 200 Port command successful 97 0.007033 10.176.1.12 20 10.175.2.144 26483 TCP 66 0 20 → 26483 [SYN, ECE, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM 98 0.000865 10.175.2.144 26483 10.176.1.12 20 TCP 66 0 26483 → 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=128 SACK_PERM 99 0.000388 10.176.1.12 20 10.175.2.144 26483 TCP 54 0 20 → 26483 [ACK] Seq=1 Ack=1 Win=2102272 Len=0
FortiGate Port2
Received and forwarded the FTP client connection with a PORT command to the FTP Server and FTP Serve responded Port command successful 17 0.001247 10.174.2.190 26482 10.176.1.12 21 FTP 81 27 Request: PORT 10,175,2,144,103,115 PORT 10,175,2,144,103,115\r\n Request command: PORT Request arg: 10,175,2,144,103,115 Active IP address: 10.175.2.144 Active port: 26483 Active IP NAT: True 18 0.002088 10.176.1.12 21 10.174.2.190 26482 FTP 83 29 Response: 200 Port command successful The FTP server connects back to the FTP client for data exchange 20 0.006972 10.176.1.12 20 10.175.2.144 26483 TCP 66 0 20 → 26483 [SYN, ECE, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM -> The SYN flag is able forwarded to FTP client 21 0.000920 10.175.2.144 26483 10.176.1.12 20 TCP 66 0 26483 → 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=128 SACK_PERM -> Actual FTP client returned SYN, ACK 22 0.000346 10.176.1.12 20 10.175.2.144 26483 TCP 60 0 20 → 26483 [ACK] Seq=1 Ack=1 Win=2102272 Len=0
In v7.2.8 (kernel 4.19), the expectation session also inherited the dst from the master session. However, dst -> neighbor does not exist in kernel 4.19. Instead, a neigh lookup is performed using dst -> dev and the destination address (highlighted in red). Since it cannot find a route via dst->dev it does not get forwarded out.
The FTP Server "Syn" flag reached to Port2. But, did not reached to Port3 in FGT 7.2.8 17 0.011320 10.174.2.190 26465 10.176.1.12 21 FTP 80 26 Request: PORT 10,175,2,144,103,98 20 0.011100 10.176.1.12 20 10.175.2.144 26466 TCP 66 0 20 → 26466 [SYN, ECE, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM -> The SYN flag isn't able forwarded to FTP client 22 3.001027 10.176.1.12 20 10.175.2.144 26466 TCP 66 0 [TCP Retransmission] 20 → 26466 [SYN, ECE, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM -> SYN Retransmission 23 6.000123 10.176.1.12 20 10.175.2.144 26466 TCP 66 0 [TCP Retransmission] 20 → 26466 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM -> SYN Retransmission
Note: It will work unless there is a route that exists on FortiGate to the FTP client. This also applies to any TCP protocol that meets the expectation sessions in the scenarios as Source -> NAT device -> (port3) Fortigate (port2) -> Destination.