https://live.paloaltonetworks.com/t5/general-topics/about-ftp-passive-mode-app-id-insufficient-data/m-p/48531#M35729 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>We find that if ftp runs passive mode and go through paloalto fw, in the fw monitor -&gt; logs -&gt; traffic, we'll see the application should be identified as insufficient-data.</P><P>I also find that there are just few bytes for every logs in the Bytes column.</P><P>Anyone knows how to explain those results<SPAN style="font-size: 10pt; line-height: 1.5em;"> ?</SPAN></P></BODY></HTML> Tue, 26 Mar 2013 04:41:44 GMT paloalto.netfos 2013-03-26T04:41:44Z https://live.paloaltonetworks.com/t5/general-topics/about-ftp-passive-mode-app-id-insufficient-data/m-p/48531#M35729 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>We find that if ftp runs passive mode and go through paloalto fw, in the fw monitor -&gt; logs -&gt; traffic, we'll see the application should be identified as insufficient-data.</P><P>I also find that there are just few bytes for every logs in the Bytes column.</P><P>Anyone knows how to explain those results<SPAN style="font-size: 10pt; line-height: 1.5em;"> ?</SPAN></P></BODY></HTML> Tue, 26 Mar 2013 04:41:44 GMT https://live.paloaltonetworks.com/t5/general-topics/about-ftp-passive-mode-app-id-insufficient-data/m-p/48531#M35729 paloalto.netfos 2013-03-26T04:41:44Z https://live.paloaltonetworks.com/t5/general-topics/about-ftp-passive-mode-app-id-insufficient-data/m-p/48532#M35730 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Insufficient data means that there was not enough data to identify the application. So for example, if the 3-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, you would see insufficient data in the application field of the traffic log..</SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Ref:<A href="https://live.paloaltonetworks.com/docs/DOC-1549">Incomplete, Insufficient data and Not-applicable in the application field</A></SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><BR /></SPAN></P></BODY></HTML> Tue, 26 Mar 2013 04:54:44 GMT https://live.paloaltonetworks.com/t5/general-topics/about-ftp-passive-mode-app-id-insufficient-data/m-p/48532#M35730 UhMayYeah 2013-03-26T04:54:44Z https://live.paloaltonetworks.com/t5/general-topics/about-ftp-passive-mode-app-id-insufficient-data/m-p/48533#M35731 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Thanks for feedbacks quickly. So if ftp runs passive mode and pass through paloalto fw, the fw could not identify it correctly as application "ftp", right? or not?</P><P></P><P>Regards,</P><P>Joy</P></BODY></HTML> Tue, 26 Mar 2013 06:10:34 GMT https://live.paloaltonetworks.com/t5/general-topics/about-ftp-passive-mode-app-id-insufficient-data/m-p/48533#M35731 paloalto.netfos 2013-03-26T06:10:34Z https://live.paloaltonetworks.com/t5/general-topics/about-ftp-passive-mode-app-id-insufficient-data/m-p/48534#M35732 <HTML><HEAD></HEAD><BODY><P>Yes ,you would see <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">insufficient-data, if the firewall does not see enough data packets to identify this traffic.</SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Do you see the traffic matching the expected security rule?</SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">P.S: Application FTP would cover both Active+Passive variants.</SPAN></P><P><SPAN style="background-color: #ffffff; color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 1.5em;">-Ameya</SPAN></P></BODY></HTML> Tue, 26 Mar 2013 07:16:00 GMT https://live.paloaltonetworks.com/t5/general-topics/about-ftp-passive-mode-app-id-insufficient-data/m-p/48534#M35732 UhMayYeah 2013-03-26T07:16:00Z https://live.paloaltonetworks.com/t5/general-topics/about-ftp-passive-mode-app-id-insufficient-data/m-p/48535#M35733 <HTML><HEAD></HEAD><BODY><P>I agree with Ameya.</P><P></P><P>"few bytes for every log" also indicates that there's not enough data. Basically, even just to login to ftp server, the traffic size usually becomes a few hundred bytes. The first thing to check is to see whether ftp is really working.</P><P></P><P>- Yasu</P></BODY></HTML> Tue, 26 Mar 2013 09:10:24 GMT https://live.paloaltonetworks.com/t5/general-topics/about-ftp-passive-mode-app-id-insufficient-data/m-p/48535#M35733 ymiyashita 2013-03-26T09:10:24Z https://live.paloaltonetworks.com/t5/general-topics/about-ftp-passive-mode-app-id-insufficient-data/m-p/48536#M35734 <HTML><HEAD></HEAD><BODY><P>HI,</P><P></P><P>After upgrade content version 364-1728, the pa fw can correctly identified applicatin of ftp passive mode as "ftp" with high random ports.</P><P>My security policies setting as below.</P><P></P><P>Trust-zone, any source-addresses, to&nbsp; Untrust-zone, any destination-addresses, application eq ftp,service application-default, action eq allow.</P><P></P><P>Regards,</P></BODY></HTML> Fri, 29 Mar 2013 03:25:02 GMT https://live.paloaltonetworks.com/t5/general-topics/about-ftp-passive-mode-app-id-insufficient-data/m-p/48536#M35734 paloalto.netfos 2013-03-29T03:25:02Z