03-25-2013 09:41 PM
Hi All,
We find that if ftp runs passive mode and go through paloalto fw, in the fw monitor -> logs -> traffic, we'll see the application should be identified as insufficient-data.
I also find that there are just few bytes for every logs in the Bytes column.
Anyone knows how to explain those results ?
03-25-2013 09:54 PM
Insufficient data means that there was not enough data to identify the application. So for example, if the 3-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, you would see insufficient data in the application field of the traffic log..
Ref:Incomplete, Insufficient data and Not-applicable in the application field
03-25-2013 09:54 PM
Insufficient data means that there was not enough data to identify the application. So for example, if the 3-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, you would see insufficient data in the application field of the traffic log..
Ref:Incomplete, Insufficient data and Not-applicable in the application field
03-25-2013 11:10 PM
Hi,
Thanks for feedbacks quickly. So if ftp runs passive mode and pass through paloalto fw, the fw could not identify it correctly as application "ftp", right? or not?
Regards,
Joy
03-26-2013 12:16 AM
Yes ,you would see insufficient-data, if the firewall does not see enough data packets to identify this traffic.
Do you see the traffic matching the expected security rule?
P.S: Application FTP would cover both Active+Passive variants.
-Ameya
03-26-2013 02:10 AM
I agree with Ameya.
"few bytes for every log" also indicates that there's not enough data. Basically, even just to login to ftp server, the traffic size usually becomes a few hundred bytes. The first thing to check is to see whether ftp is really working.
- Yasu
03-28-2013 08:25 PM
HI,
After upgrade content version 364-1728, the pa fw can correctly identified applicatin of ftp passive mode as "ftp" with high random ports.
My security policies setting as below.
Trust-zone, any source-addresses, to Untrust-zone, any destination-addresses, application eq ftp,service application-default, action eq allow.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
