About ftp passive mode App-ID insufficient-data

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

About ftp passive mode App-ID insufficient-data

L4 Transporter

Hi All,

We find that if ftp runs passive mode and go through paloalto fw, in the fw monitor -> logs -> traffic, we'll see the application should be identified as insufficient-data.

I also find that there are just few bytes for every logs in the Bytes column.

Anyone knows how to explain those results ?

1 accepted solution

Accepted Solutions

L5 Sessionator

Insufficient data means that there was not enough data to identify the application. So for example, if the 3-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, you would see insufficient data in the application field of the traffic log..

Ref:Incomplete, Insufficient data and Not-applicable in the application field



View solution in original post

5 REPLIES 5

L5 Sessionator

Insufficient data means that there was not enough data to identify the application. So for example, if the 3-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, you would see insufficient data in the application field of the traffic log..

Ref:Incomplete, Insufficient data and Not-applicable in the application field



Hi,

Thanks for feedbacks quickly. So if ftp runs passive mode and pass through paloalto fw, the fw could not identify it correctly as application "ftp", right? or not?

Regards,

Joy

Yes ,you would see insufficient-data, if the firewall does not see enough data packets to identify this traffic.

Do you see the traffic matching the expected security rule?

P.S: Application FTP would cover both Active+Passive variants.

-Ameya

I agree with Ameya.

"few bytes for every log" also indicates that there's not enough data. Basically, even just to login to ftp server, the traffic size usually becomes a few hundred bytes. The first thing to check is to see whether ftp is really working.

- Yasu

HI,

After upgrade content version 364-1728, the pa fw can correctly identified applicatin of ftp passive mode as "ftp" with high random ports.

My security policies setting as below.

Trust-zone, any source-addresses, to  Untrust-zone, any destination-addresses, application eq ftp,service application-default, action eq allow.

Regards,

  • 1 accepted solution
  • 5532 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!