DescriptionThis article describes how to delete session helpers especially in passive mode.SolutionIn few FTP connections FortiGate will trigger the session helpers due which there could be issues while establishing the FTP connections through FortiGate.In such scenario, it is posible to delete the FTP session helpers on FortiGate.
However before deleting the session helpers it is recommended to verify and confirm if the required sessions are using session helpers. Below commands will assist in looking for session helpers.# Diag sys session filter src x.x.x.x
# Diag sys session filter dst x.x.x.x
# Diag sys session filter port x.x.x.x
Then, list the sessions with below commands.# Diag sys session list
session info: proto=6 proto_state=01 duration=128 expire=3471 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=FTP vlan_cos=0/255
state=dirty may_dirty npu synced netflow-origin netflow-reply
statistic(bytes/packets/allow_err): org=540/5/1 reply=412/3/1 tuples=2
tx speed(Bps/kbps): 4/0 rx speed(Bps/kbps): 3/0
orgin->sink: org pre->post, reply pre->post dev=0->0/0->0 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 172.16.29.2:57417->10.96.11.11:21(0.0.0.0:0)
hook=post dir=reply act=noop 10.96.11.11:21->172.16.29.2:57417(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=111215 auth_info=0 chk_client_info=0 vd=0
serial=9456477d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=0x100000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: helper
For further assistance , open a ticket with Fortigate TAC.Related Articles
Technical Tip: Enable and disable FortiGate system session helpers
