topic Re: FTP session logged as 2 TCP sessions in General Topics

FTP session logged as 2 TCP sessions

santonic — Tue, 28 Oct 2014 13:07:07 GMT

Hello.

I have a problem with the way PA handles FTP sessions. I have a general rule which allows privileged user groups to have full access to a certain network. So application and service in this rule is 'any'. One of the applications users will be using is FTP.

When I look at traffic logs i see 2 TCP session for each use of FTP application. Let's say client is at 1.1.1.1 and FTP server at 2.2.2.2.

Every time a client starts FTP session i see 2 TCP sessions in logs:

- TCP session from 1.1.1.1:yyyy to 2.2.2.2:21

- followed by TCP session from 2.2.2.2:xxxx to 1.1.1.1:20

I know FTP application consists of 2 TCP session. But shouldn't PA as an application firewall match DATA session with CONTROL session and regard them as single use of FTP application?

This will be a big issue when the traffic from the mentioned network towards user segment will be set to 'deny'. I don't think having to open port 20 towards user segment is the way to go on application firewall.

Best regards,

Simon

Re: FTP session logged as 2 TCP sessions

HULK — Tue, 28 Oct 2014 13:24:47 GMT

Hello Simon,

Could you please confirm the session type in both directions:

For an example:

vsys1 199.167.52.5[4501]/Untrust-ISP (199.167.52.5[4501])

63320 ssh ACTIVE --------------- FLOW-------------------- ND 199.167.52.5[4030]/Untrust-ISP/6 (199.167.52.5[4030]) >>>>>>>>>>>>>>>>>>>>> this is a flow session.

I hope the TCP session from 2.2.2.2:xxxx to 1.1.1.1:20 is not a flow session, it's a PRED ( predict session). So, the firewall is expecting a connection from the server on that port. This is part of ALG ( application layer gateway) functionality.

Hope this helps.

Re: FTP session logged as 2 TCP sessions

hshah — Tue, 28 Oct 2014 13:32:10 GMT

Hi Santonic,

Kindly provide us output for "show session all filter source 1.1.1.1 destination 2.2.2.2:21". Make sure you have just started the FTP application.

As per issue, this output will generate two sessions. Then provide us output for "show session id <>" for both the sessions.

This will help us to determine root cause precisely.

Regards,

Hardik Shah

Re: FTP session logged as 2 TCP sessions

santonic — Tue, 28 Oct 2014 13:35:55 GMT

Thanx for the tip, i'll try to catch such session live.

Do predicted sessions go into traffic log as a seperate (TCP) session?

Re: FTP session logged as 2 TCP sessions

HULK — Tue, 28 Oct 2014 13:40:15 GMT

Hello santonic,

As per my understanding, predict session will be not logged under traffic logs. It will be only appear in the session table.

Thanks

Re: FTP session logged as 2 TCP sessions

dreputi — Tue, 28 Oct 2014 13:55:43 GMT

Hello Santonic,

It looks like you are describing Active FTP where the client first initiates a connection on Command port 21 to server and the server responds to it. Then server will initiate a connection from its side to client for data connection using port 20.

https://live.paloaltonetworks.com/docs/DOC-6936

But PAN uses its ALG(Application Layer Gateway) to inspect the layer 7 packets of the FTP connection ie from client to server's port 21 and its response from server. PAN then sees what ports the client and server's are negotiating, it will open a predict session of type PRED from server's side to Client's side on those specific ports. This is done dynamically so you DON'T have to open up those ports explicitly. When the firewall sees traffic coming from the server matching those ports, then it will convert this PRED session into ACTIVE session. This also means you DON'T have to create new security or NAT rules to allow traffic in the reverse direction. The other alternative is to use a Passive FTP where client only initiates connections in both the directions.

Moreover the second session doesn't appear to be correct in your example since the client will not serve anything on its port 20.

Regards,

Dileep

Re: FTP session logged as 2 TCP sessions

hshah — Tue, 28 Oct 2014 13:59:04 GMT

Hi Santonic,

Predict session do not appear in traffic log because there is no actual data exchange.

if there is any packet exchange than its seen as FTP log in traffic log rather than FTP-data. Kindly refer following document.

Cannot Use 'ftp-data' as a Valid Application Selection for a Security Rule

Regards,

Hardik Shah

Re: FTP session logged as 2 TCP sessions

santonic — Tue, 28 Oct 2014 14:54:44 GMT

dreputi

Yep, I copied it wrong. It should be like this:

Every time a client starts FTP session i see 2 TCP sessions in logs:

- TCP session from 1.1.1.1:yyyy to 2.2.2.2:21 application ftp

- followed by TCP session from 2.2.2.2:20 to 1.1.1.1:xxxx application ftp

I agree that I shouldn't be opening session for the DATA traffic in the other direction. But that means 2nd session will always be blocked when we implement the drop rule. Will FTP still work?

hshah

Yes, I agree that predicted sessions aren't logged and that there is no such application as ftp-data needed.

But I do see a TCP session in other direction in traffic log, it's recognised as ftp application, there was some data transfered through it and it always appears after a ftp session from client to server. And that means I need to explicitly open everything from source port 20 in the other direction?

Re: FTP session logged as 2 TCP sessions

dreputi — Tue, 28 Oct 2014 15:00:20 GMT

Yes, it should work even if you have a drop rule. This is because the ALG is tracking the session based on its prediction. Like I mentioned earlier, ALG opens a predict session on for the second connection and when it receives that traffic, PAN will match the traffic to PRED session and convert it to ACTIVE session.

Let us know if you have any questions.

Re: FTP session logged as 2 TCP sessions

HULK — Tue, 28 Oct 2014 15:03:25 GMT

Hello santonic,

The ALG should take care about the predict session from the opposite direction and you need not to open port/policy in the other direction. The FW should be intelligent enough to match packets from the same session.

Thanks

Re: FTP session logged as 2 TCP sessions

hshah — Tue, 28 Oct 2014 17:25:21 GMT

Hi Santonic,

Return connection " 2.2.2.2:20 to 1.1.1.1:xxxx application ftp" may be for future ftp-data. And that is expected behavior. Can you provide us show session id output for both the sessions.

Regards,

Hardik Shah

Re: FTP session logged as 2 TCP sessions

santonic — Wed, 29 Oct 2014 07:31:02 GMT

Ok, I understand about PREDICT sessions, but we all agree those shouldn't be seen in traffic logs?

And I agree I shouldn't have to create a rule for traffic back, but in that case the session back in logs will be blocked?

And Session IDs for pair of such connections are different.

Here is the screenshot of such sessions for easier understanding:

Another thing: for the security zone where the FTP server is we have a zone protection profile which doesn't reject Non-SYN TCP sessions and bybasses Asymmetric Paths.

But the mentioned FTP traffic isn't asymmetric so this zone protection profile shouldn't have any influence on these sessions.

Re: FTP session logged as 2 TCP sessions

hshah — Wed, 29 Oct 2014 13:41:55 GMT

Hi Santonic,

I see FTP session on port 21 and 20 are in pair. Which means one is for control channel and other one is for data channel.

Now, FTP server might be sending file through multiple sessions to get better throughput. Thats the reason there are multiple sessions.

I have seen server applications using multiple sessions to get faster throughput. May I know which FTP server are you using.

Regards,

Hardik shah

Re: FTP session logged as 2 TCP sessions

lewis — Wed, 29 Oct 2014 14:32:18 GMT

@ santonic I had the same questions when i discovered what appeared to be IPs out on the internet doing FTP into our network but I believed should have been dropped. Under further investigation and a ticket to support I found out about the predict sessions. RTP also works this way too.

Re: FTP session logged as 2 TCP sessions

santonic — Thu, 30 Oct 2014 07:55:55 GMT

hshah

Thanx for your info. Yep, to me it looks as well like the sessions are in pair. But session IDs are different. So I'm still worried the data sessions will be blocked.

I don't have info about FTP server, i'll check with the client where the issue appears. Do you know if PAN supports multiple DATA sessions back or only looks for 1?

lewis

You saw data sessions (with source port 20) to internet and they were allowed despite the fact you didn't have such traffic allowed with rule?

Re: FTP session logged as 2 TCP sessions

lewis — Thu, 30 Oct 2014 11:32:31 GMT

To clarify my scenario, I was seeing FTP traffic incoming (appeared to be initiated from an internet source which is an untrust zone for us) and being allowed to one of our NAT ips and logged under our outbound rule. This didn't make sense as all traffic incoming from the internet (untrust zone) to our NAT ip is set to deny and logged under a different rule. Under further investigation it was determined this FTP traffic was initiated from an internal device (trusted zone) which normal for us and is set to allow and the inbound untrust zone traffic in question was in fact the return traffic. As someone mentioned the traffic appears in pairs. If I were to do a screen shot of this type traffic it would look the same as yours above. I did not have to create a rule to allow the return FTP traffic back. If untrust zone traffic were to initiate a FTP session to our NAT ip this traffic would be dropped under or deny rule. Hope this helps.

Re: FTP session logged as 2 TCP sessions

hshah — Thu, 30 Oct 2014 12:41:31 GMT

Hi Santonic,

FTP and FTP-data session ID doesnt have to be similar. The can be different. So based on session ID you can not determine if they are in pair.

If FTP application generates multiple session than they are allowed. Let me know if his helps.

Regards,

Hardik Shah

Re: FTP session logged as 2 TCP sessions

dreputi — Thu, 30 Oct 2014 13:44:01 GMT

Hello Santonic,

The session IDs will be different. The control channel will be 'Parent Session' and the data channel will be 'child session'. But they work together ie the child session will be (predicted and converted to Active Flow) based on the parent session. Here is a sample output of child session:

> show session id 685

Session 685 <<<<<<<<<<<<<<<< Child Session ID

c2s flow:

source: 192.168.23.215 [trust-L3]

dst: 10.66.22.169

proto: 6

sport: 64047 dport: 24492

state: ACTIVE type: FLOW

src user: unknown

dst user: unknown

s2c flow:

source: 10.66.22.169 [dmz-L3]

dst: 10.66.22.23

proto: 6

sport: 24492 dport: 2671

state: ACTIVE type: FLOW

src user: unknown

dst user: unknown

start time : Sat Mar 29 06:51:52 2014

timeout : 30 sec

time to live : 24 sec

total byte count(c2s) : 25293

total byte count(s2c) : 69890

layer7 packet count(c2s) : 416

layer7 packet count(s2c) : 461

vsys : vsys1

application : ftp-data

rule : trust-2-dmz

session to be logged at end : True

session in session ager : True

session synced from HA peer : False

address/port translation : source + destination

nat-rule : nat-trust-2-dmz(vsys1)

layer7 processing : completed

URL filtering enabled : False

session via prediction : True

use parent's policy : True

parent session : 683 <<<<<<<<<<<<<<<<<<<<<<<<< Parent session ID

refresh parent session : True

session via syn-cookies : False

session terminated on host : False

session traverses tunnel : False

captive portal session : False

ingress interface : ethernet1/4

egress interface : ethernet1/5

Let us know if that helps and if you have any questions.

Regards,

Dileep

Re: FTP session logged as 2 TCP sessions

HULK — Thu, 30 Oct 2014 14:00:17 GMT

Yes. Dileep is correct. Just to add to it, in an FTP connection, there will be only one control connection, but may have multiple data-connectiones for each transaction. For an example, after successful login, if you apply LS (directory listing)/PUT/GET, every time it will create different data connections.

Thanks

Re: FTP session logged as 2 TCP sessions

santonic — Thu, 30 Oct 2014 14:17:26 GMT

Thanx all for your replies, they've been really helpful.