In this article, let me show you how to allow incoming FTP traffic on the FortiGate firewall device so that you can host the FTP sites to the outside world. We will use port forwarding technique to complete this target. Any incoming FTP requests to external (WAN) interface will reach the FTP server on the internal network. FortiGate is a famous hardware firewall device which can protect your home and office network from network threats. We can set up several firewall policies and filtering options to secure the network. It can also work as a web application firewall device if you are hosting web or FTP sites internally but want to allow access to external users through the internet.
We have earlier published a guide about setting up an FTP server on Windows 10/8.1 and how to allow FTP traffic on Windows firewall service. If you want to host the same FTP site from Windows PC or Windows 2012 R2 server to the external network through FortiGate firewall, then this post will be useful.
Note: Though the below screenshots had been taken on FortiOS 5.x version, it is applicable for latest versions such as 6.x. You may find similar options but with a slightly different GUI screen.
Steps to Allow FTP Port Forwarding in FortiGate
1) Create a virtual IP which maps the internal and external IP with a correct TCP/UDP port number.
Firstly check the WAN IP of the interface which is connected to the internet. If you have a static public IP on the WAN interface, then write it down.
If you do not have the static IP on WAN interface which changes dynamically, then you should use ‘dynamic DNS’ service such as DynDNS to map the particular web address name to IP address. You can check this guide about setting up DynDNS on Fortigate.
Head down to ‘Virtual IPs’ and create a new virtual IP.
Enter the name of an object, select the correct WAN interface which will receive the incoming FTP traffic. As said earlier, if the WAN IP is a dynamic (not fixed), leave the ‘External IP address/Range’ to 0.0.0.0 as shown below, otherwise, you have to enter the static IP in these fields.
On the next box, type the IP address of the local FTP server which will accept FTP traffic through this FortiGate Firewall.
Enable Port Forwarding and enter port number 21 as TCP port (which is used by FTP protocol by default). Click OK to save the changes.
2) Create a new firewall policy to allow incoming FTP traffic.
Select the WAN port as an incoming port and ‘all’ under source address.
Select the port where the network of FTP server is connected, mostly it could be on internal or DMZ port.
The destination address should be the virtual IP we created in step 1, set the schedule if you want to restrict the access during a specific time.
The service can be ‘ALL’ or ‘FTP’, since we set the FTP port number in virtual IP, selecting the ‘All’ will not cause any issues. Select Accept in Action.
If you have any security profiles to restrict and monitor the traffic, you can apply them under security profiles area. Do not forget to enable Logging options if you like to log and track the allowed traffic. With the above policy, we have successfully configured to allow incoming FTP traffic on the WAN interface by using Fortigate port forwarding method.
Two important checks
- Make sure FTP service is running on port 21 on the server because we allowed only this port number. For any special cases, if you are hosting FTP or SFTP sites on different port numbers, then you need to modify the virtual IP to accept a particular port number.
- Gateway of the FTP server should be the FortiGate internal interface IP. For example, if you have multiple FortiGate devices and routers on the network, the FTP server gateway IP must point to this FortiGate which is accepting the incoming FTP traffic. Because the traffic will flow back by that default gateway only.