Cannot Use 'ftp-data' as a Valid Application Selection for a Security Rule

Cannot Use 'ftp-data' as a Valid Application Selection for a Security Rule

26468
Created On 09/26/18 13:50 PM - Last Modified 06/06/23 19:47 PM


Resolution


Symptom

The term, ftp-data, cannot be used as a valid application identifier for a security rule or does not appear to exist in the application database.

 

Cause

This is the expected behavior, as FTP is a special app that uses ALG (Application Layer Gateway). This means that during the control part of the app, the ALG pinholes the data port that will be used and the type (active or passive). At this point, the ftp-data session is created. The Palo Alto Networks firewall will see the special sessions as predicted session, and the 'predict' flag should be visible under the type column for 'ftp-data'. This is the reason why this app cannot be found under the app list for configuration in the rule-base.

 

See the following example.

  • Output for:  > show session id 537793162  identifies the application as "ftp-data" (blue box in example).
  • While under Monitor > Traffic, Session ID 537793162 identifies the application as FTP (red box in example).

FTPvsFTP-Data.png

 

owner: kalavi
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsxCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language