topic Re: FTP connections jumping rule in General Topics

FTP connections jumping rule

soporteseguridad — Tue, 14 Jun 2016 11:53:38 GMT

Hi,

we have 2 rules. the first one filtering by application FTP

and the second one with the same source/destination like the rule above and using any/any permit.

We run ftp connections. all these FTP connections should match in the first rule filtering by FTP, but we see matches in the any/any rule too.

In this rule should be match all the ftp connections (filter by FTP app, services any):

but we see connections in this rule too (any/any)

Why all the connections FTP not using the same rule (first one)???

Re: FTP connections jumping rule

Transporter — Tue, 14 Jun 2016 12:35:37 GMT

Hi,

Can you run the PCAP on the PA? Use filters to specify a particular host /IP and post the result.

Cheers,

Re: FTP connections jumping rule

Raido_Rattameister — Tue, 14 Jun 2016 13:22:00 GMT

If during session application changes then unless you log at session start you see in log only last application identified.

For troubleshooting period can you open both of those policies and on the last tab (Actions) check both boxes "log at session start" and "log at session end"

Do you see only FTP in application field or Palo identifies it something else in the mean time?

After application shift rules are evaluated again and top rule should match again so strange issu but worth to try.

Re: FTP connections jumping rule

soporteseguridad — Tue, 14 Jun 2016 13:34:09 GMT

The app is FTP, but i dont know why the second rule is matching if all the connections should go through first rule...

Re: FTP connections jumping rule

rmonvon — Tue, 14 Jun 2016 13:45:13 GMT

Can you take a screensot of the 2 FTP rules so we can see them please. Thanks.

Re: FTP connections jumping rule

BPry — Tue, 14 Jun 2016 13:49:00 GMT

Any chance you're running into an issue with the FTP rule not catching FTPs?

Re: FTP connections jumping rule

soporteseguridad — Tue, 14 Jun 2016 13:56:53 GMT

I attach both rules. Connections shoyuld only go through first rule, but we see FTP tries in the last one. Why?

Re: FTP connections jumping rule

rmonvon — Tue, 14 Jun 2016 18:19:52 GMT

From the rule screenshot, FTP should match 1st rule and not the 2nd rule as you pointed out.

Did you happen to add/modify the FTP rules during the time period in question? If so, it may be that the FTP session matched 1 rule and a rule change occurred afterward which would not take effect on the existing FTP session.

If you're still seeing this behavior where FTP is matching rule2, I recommend opening a Support cast to have it diagnose. Thanks.

Re: FTP connections jumping rule

soporteseguridad — Wed, 15 Jun 2016 11:11:48 GMT

I checked the NAT rule for this FTP server and its weird this NAT rule.

It should be a static NAT??? currently its configured with dynamic ip and port... maybe this can caused problems?? The connections take different source ip nat to go to internet.....

Maybe this could cause the problem?? i think for this FTP use we should use a static ftp ...

Re: FTP connections jumping rule

Raido_Rattameister — Wed, 15 Jun 2016 11:27:41 GMT

Is 195.5 address object?

Re: FTP connections jumping rule

soporteseguridad — Wed, 15 Jun 2016 12:45:53 GMT

No, its the IP iwth no object created. I think NAT is not well created.

Re: FTP connections jumping rule

Transporter — Wed, 15 Jun 2016 13:07:25 GMT

Hiya,

Kindly could you provide screenshots of the FTP sessions that hitting a correct policy and "any" "any" policy.

Example below:

Re: FTP connections jumping rule

Raido_Rattameister — Wed, 15 Jun 2016 14:20:23 GMT

Can you also send screenshot of the session from session table.

Monitor > Session table

Click on the + sign to expand the view.

Session table view includes NAT policy used but traffic log screenshot does not.