FTP Rule, Allow FTP Incoming Traffic on FortiGate, FortiOS 5.2

In this article, let me show how to allow FTP incoming traffic on FortiGate firewall device, so that incoming FTP requests from external (WAN) interface will reach the FTP server on the internal network. FortiGate is a famous hardware firewall device which can protect your home and office network from network threats. You can setup several firewall policies and filtering options to secure the network. It can also work as web application firewall device if you are hosting web or FTP sites internally but want to allow access to external users through internet.

This guide shows the step by step methods to allow incoming FTP traffic on FortiOS 5.2 and later versions. These same steps can be followed on earlier FortiOS versions too. This task can be achieved by setting up a virtual IP and firewall policy on the FortiGate device.

We have earlier published a guide about setting up FTP server on Windows 8.1/7/10 and how to allow FTP traffic on Windows firewall service. If you want to host the same FTP site from Windows PC or Windows 2012 R2 server to outside internet through FortiGate firewall, then this post will be useful.

Steps to Allow FTP Traffic in FortiGate

1) Create a virtual IP which maps the internal and external IP with correct TCP/UDP port number.

Firstly check the WAN IP of the interface which is connected to internet. If you have an static public IP on the WAN interface, then write it down. You can see the current IP here.Check the WAN IP in FortiGate

If you do not have the static IP on WAN interface and it changes every time dynamically, then we do not need to know the IP as mentioned above. When you have the dynamic IP, obviously you should use ‘dynamic DNS’ service such as DynDNS to map the particular web address name to IP address. You can check this guide about how to setup DynDNS on Fortigate 5.2 OS.

Head down to ‘Virtual IPs’ and create a new virtual IP. Enter the Name of object, select the correct WAN interface which will receive the incoming FTP traffic. As said earlier, if the WAN IP is a dynamic (not fixed), leave the ‘External IP address/Range’ to 0.0.0.0 as shown below, otherwise you have to enter the static IP in these fields.

On the next box, type the IP address of the local FTP server which will accept FTP traffic through this FortiGate Firewall. Enable Port Forwarding and enter port number 21 as TCP port (which is used by FTP protocol by default).  Click OK to make the changes.

create virtual ip in fortigate 5.2

2) Create a firewall policy to allow incoming FTP traffic in FortiGate, FortiOS 5.2 and later versions.

Select the WAN port as incoming port and ‘all’ under source address. Select the port where the network of FTP server is connected, mostly it could be on  internal or DMZ port. Destination address should be the virtual IP we created in step 1, set the schedule if you want to restrict the access during specific time. The service can be ‘ALL’ or ‘FTP’, since we set the FTP port number in virtual IP, selecting the ‘All’ will not cause any issues. Select Accept in Action.

If you have any security profiles to restrict and monitor the traffic, you can apply them under security profiles area. Do not forget to enable Logging options if you like to log and track the allowed traffic. allow incmoing ftp in fortigate 5.2 That’s it, we have successfully setup the FortiGate which is running on FortiOS 5.2 or later versions to allow incoming FTP traffic.

3) Two important checks on the local Windows or Linux FTP server.

i) Make sure FTP service is running on port 21 on FTP server, because we allowed only this port on the firewall device. In some cases, FTP service would have been set to run on different port number, if so, FortiGate virtual IP should modified to accept particular port number.

ii) Gateway of the FTP server should be the FortiGate internal interface IP. For example if you have multiple FortiGate devices and Gateways to connect internet, the FTP server gateway IP  should point to the FortiGate which is accepting the incoming FTP traffic. Because the traffic will flow back by that default gateway only.

Hope this guide and step by step methods will be useful to allow incoming FTP traffic on FortiGate and forward it to Windows or Linux FTP servers which is hosted inside your local network.