FTP session logged as 2 TCP sessions

Reply
L6 Presenter

Re: FTP session logged as 2 TCP sessions

Hi Santonic,

Return connection " 2.2.2.2:20 to 1.1.1.1:xxxx application ftp" may be for future ftp-data. And that is expected behavior. Can you provide us show session id output for both the sessions.

Regards,

Hardik Shah

L5 Sessionator

Re: FTP session logged as 2 TCP sessions

Ok, I understand about PREDICT sessions, but we all agree those shouldn't be seen in traffic logs?

And I agree I shouldn't have to create a rule for traffic back, but in that case the session back in logs will be blocked?

And Session IDs for pair of such connections are different.

Here is the screenshot of such sessions for easier understanding:

ftp.jpg

Another thing: for the security zone where the FTP server is we have a zone protection profile which doesn't reject Non-SYN TCP sessions and bybasses Asymmetric Paths.

But the mentioned FTP traffic isn't asymmetric so this zone protection profile shouldn't have any influence on these sessions.

L6 Presenter

Re: FTP session logged as 2 TCP sessions

Hi Santonic,

I see FTP session on port 21 and 20 are in pair. Which means one is for control channel and other one is for data channel.

Now, FTP server might be sending file through multiple sessions to get better throughput. Thats the reason there are multiple sessions.

I have seen server applications using multiple sessions to get faster throughput. May I know which FTP server are you using.

Regards,

Hardik shah

L4 Transporter

Re: FTP session logged as 2 TCP sessions

@ santonic I had the same questions when i discovered what appeared to be IPs out on the internet doing FTP into our network but I believed should have been dropped. Under further investigation and a ticket to support I found out about the predict sessions.  RTP also works this way too.

L5 Sessionator

Re: FTP session logged as 2 TCP sessions

hshah

Thanx for your info. Yep, to me it looks as well like the sessions are in pair. But session IDs are different. So I'm still worried the data sessions will be blocked.

I don't have info about FTP server, i'll check with the client where the issue appears. Do you know if PAN supports multiple DATA sessions back or only looks for 1?

lewis

You saw data sessions (with source port 20) to internet and they were allowed despite the fact you didn't have such traffic allowed with rule?

L4 Transporter

Re: FTP session logged as 2 TCP sessions

To clarify my scenario, I was seeing FTP traffic incoming (appeared to be initiated from an internet source which is an untrust zone for us) and being allowed to one of our NAT ips and logged under our outbound rule. This didn't make sense as all traffic incoming from the internet (untrust zone) to our NAT ip is set to deny and logged under a different rule. Under further investigation it was determined this FTP traffic was initiated from an internal device (trusted zone) which normal for us and is set to allow and the inbound untrust zone traffic in question was in fact the return traffic. As someone mentioned the traffic appears in pairs. If I were to do a screen shot of this type traffic it would look the same as yours above. I did not have to create a rule to allow the return FTP traffic back.  If untrust zone traffic were to initiate a FTP session to our NAT ip this traffic would be dropped under or deny rule. Hope this helps.

L6 Presenter

Re: FTP session logged as 2 TCP sessions

Hi Santonic,

FTP and FTP-data session ID doesnt have to be similar. The can be different. So based on session ID you can not determine if they are in pair.

If FTP application generates multiple session than they are allowed. Let me know if his helps.

Regards,

Hardik Shah

Highlighted
L4 Transporter

Re: FTP session logged as 2 TCP sessions

Hello Santonic,

The session IDs will be different. The control channel will be 'Parent Session' and the data channel will be 'child session'. But they work together ie the child session will be (predicted and converted to Active Flow) based on the parent session. Here is a sample output of child session:

> show session id 685

Session 685    <<<<<<<<<<<<<<<< Child Session ID

c2s flow:

source: 192.168.23.215 [trust-L3]

dst: 10.66.22.169

proto: 6

sport: 64047 dport: 24492

state: ACTIVE type: FLOW

src user: unknown

dst user: unknown

s2c flow:

source: 10.66.22.169 [dmz-L3]

dst: 10.66.22.23

proto: 6

sport: 24492 dport: 2671

state: ACTIVE type: FLOW

src user: unknown

dst user: unknown

start time : Sat Mar 29 06:51:52 2014

timeout : 30 sec

time to live : 24 sec

total byte count(c2s) : 25293

total byte count(s2c) : 69890

layer7 packet count(c2s) : 416

layer7 packet count(s2c) : 461

vsys : vsys1

application : ftp-data

rule : trust-2-dmz

session to be logged at end : True

session in session ager : True

session synced from HA peer : False

address/port translation : source + destination

nat-rule : nat-trust-2-dmz(vsys1)

layer7 processing : completed

URL filtering enabled : False

session via prediction : True

use parent's policy : True

parent session : 683    <<<<<<<<<<<<<<<<<<<<<<<<< Parent session ID

refresh parent session : True

session via syn-cookies : False

session terminated on host : False

session traverses tunnel : False

captive portal session : False

ingress interface : ethernet1/4

egress interface : ethernet1/5

Let us know if that helps and if you have any questions.

Regards,

Dileep

L7 Applicator

Re: FTP session logged as 2 TCP sessions

Yes. Dileep is correct. Just to add to it, in an FTP connection, there will be only one control connection, but may have multiple data-connectiones for each transaction. For an example, after successful login, if you apply  LS (directory listing)/PUT/GET, every time it will create different data connections.

Thanks

L5 Sessionator

Re: FTP session logged as 2 TCP sessions

Thanx all for your replies, they've been really helpful.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!