Fortigate FTPS - 425 Can't open data connection.
Posted on 2009-04-06
We have just replaced our ISA Firewall Cluster with two Fortigate 110C units.
The FTP server runs FileZilla FTP Server, configured to use FTPS (TCP 990) as the command port and 50000-51000 as the data ports.
I have setup the Virtual IP's to forward the 990 traffic to the server and created a firewall policy to allow 990,50000-51000.
When making a client connection I get the following:
Status: Connecting to xxx.xxx.xxx.xxx:990...
Status: Connection established, initializing TLS...
Status: Verifying certificate...
Status: TLS/SSL connection established, waiting for welcome message...
Response: 220-FileZilla Server version 0.9.27 beta
Response: 220 Welcome to xyz server
Command: USER myusername
Response: 331 Password required for myusername
Command: PASS **************
Response: 230 Logged on
Command: PBSZ 0
Response: 200 PBSZ=0
Command: PROT P
Response: 200 Protection level set to P
Status: Retrieving directory listing...
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Response: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,195,247)
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
From that log I can determine that the connection to the server via port 990 is successful and authenticates however the client can not connect to the data port 50167 (195*256+247)
Now what I am assuming is that the Fortigates are not allowing the connection because the data ports are not forwarded and I somehow have to tell the fortigate to allow the connection through (i thought it might be NAT so I enabled this option on the firewall policy but this made no difference) and i don't think forwarding the whole 50000-51000 range is the correct method either.
I also tried applying a protection profile that has no Anti-Virus etc applied to it but still didn't fix it.
Does anyone have any ideas where I'm going wrong?
I know FTPS is ugly and it wasn't my choice but I have to get it working none the less. It worked fine with the ISA cluster (YUCK!) so what the hell was ISA doing that I need to tell the fortigates to do?