https://live.paloaltonetworks.com/t5/general-topics/ftp-passive-mode-issue/m-p/40521#M29760 <HTML><HEAD></HEAD><BODY><P>Hi Hulk,</P><P></P><P>yes but if you look at the first session on traffic tab, you can see that first session was established on port 35829 and correctly decoded as FTP app. After that all others was detected as not-applicable and dropped. </P><P>Can you tell me how to enable predict sessions only for ftp?</P><P></P><P></P><P>Tician</P></BODY></HTML> Tue, 03 Feb 2015 18:54:20 GMT Tician 2015-02-03T18:54:20Z https://live.paloaltonetworks.com/t5/general-topics/ftp-passive-mode-issue/m-p/40519#M29758 <HTML><HEAD></HEAD><BODY><P>Hello All,</P><P></P><P>I was read somewhere on this forum similar article from October 2014, and seem that problem with passive ftp was on new content ID. However some time passed since, I have issue with ftp passive mode on my VM-100 (panos 6.0.5, content ver. 483-2549..). </P><P>I catch traffic with pcap on pan directly (all stages) and noticed that had drop stage. From traffic log everything goes well (3way handshake, authentication, change directory, ftp commnds..). But since PASV request from client, server respond with entering into passive mode with port xxxx, client send syn sequence to offered port xxxx and never establish connection, with dropped packets from FW for that connection and port. </P><P></P><P><IMG alt="srv.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/18126_srv.png" /></P><P>Forward stage on firewall pcap with traffic log for that connection</P><P></P><P></P><P></P><P><IMG alt="tx_stage_retransmission.png" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/18127_tx_stage_retransmission.png" /></P><P>Tx stage with re-transmission</P><P></P><P></P><P></P><P></P><P> <IMG alt="drop_stage_for_syn_passive.png" class="jive-image image-2" src="https://live.paloaltonetworks.com/legacyfs/online/18131_drop_stage_for_syn_passive.png" /></P><P>drop stage on FW for syn and all other packets destined to passive ftp port</P><P></P><P></P><P>Security policy was created to permit FTP with default-app in service field. From CLI I catched output that ftp-data session was created to destined ftp server and port xxxx. </P><P></P><P>Tician</P></BODY></HTML> Tue, 03 Feb 2015 09:59:25 GMT https://live.paloaltonetworks.com/t5/general-topics/ftp-passive-mode-issue/m-p/40519#M29758 Tician 2015-02-03T09:59:25Z https://live.paloaltonetworks.com/t5/general-topics/ftp-passive-mode-issue/m-p/40520#M29759 <HTML><HEAD></HEAD><BODY><P>Hello <STRONG style="font-size: 11.6999998092651px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="1776" data-externalid="" data-presence="null" data-userid="5763" data-username="Tician" href="https://live.paloaltonetworks.com/people/Tician" style="padding: 0 3px 0 0; font-weight: inherit; font-style: inherit; font-size: 1.1em; font-family: inherit; color: #006595;">Tician</A></STRONG></P><P></P><P>Could you please check the predict session on this firewall for that FTP connection. I think, the PAN is unable to open the pinhole for the new connection on port 35829.</P><P></P><P>a similar discussion thread: <A href="https://live.paloaltonetworks.com/message/25461">Re: About ftp passive mode App-ID insufficient-data</A></P><P></P><P>Thanks</P></BODY></HTML> Tue, 03 Feb 2015 16:43:44 GMT https://live.paloaltonetworks.com/t5/general-topics/ftp-passive-mode-issue/m-p/40520#M29759 HULK 2015-02-03T16:43:44Z https://live.paloaltonetworks.com/t5/general-topics/ftp-passive-mode-issue/m-p/40521#M29760 <HTML><HEAD></HEAD><BODY><P>Hi Hulk,</P><P></P><P>yes but if you look at the first session on traffic tab, you can see that first session was established on port 35829 and correctly decoded as FTP app. After that all others was detected as not-applicable and dropped. </P><P>Can you tell me how to enable predict sessions only for ftp?</P><P></P><P></P><P>Tician</P></BODY></HTML> Tue, 03 Feb 2015 18:54:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ftp-passive-mode-issue/m-p/40521#M29760 Tician 2015-02-03T18:54:20Z https://live.paloaltonetworks.com/t5/general-topics/ftp-passive-mode-issue/m-p/40522#M29761 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>I found cause off this behavior. Problem is on NAT device which is behind PAN firewall. Client initiate connection and one ftp session was created, but in moment where client send PASV request to server and server respond with port XXXX, client initiate connection to server on port XXXX. In that moment FW create new session ftp-data in INIT state with default time out 5 sec, but NAT device took long time to respond, more than 5 sec which is default timeout for INIT sessions on PAN fw. In that stage has no valid-opened session, firewall considered such session as not-applicable and had dropped a result. </P><P>So if I increase INIT sessions to 10 sec, there are no drops and ftp-data sessions were transit from INIT to FLOW. But I'm not happy with increasing session time out, so I need tracing issues on NAT device and cause of long time respond.</P><P></P><P>Regards,</P><P></P><P>Predrag </P></BODY></HTML> Fri, 06 Feb 2015 18:15:39 GMT https://live.paloaltonetworks.com/t5/general-topics/ftp-passive-mode-issue/m-p/40522#M29761 Tician 2015-02-06T18:15:39Z