This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

FTP connections jumping rule

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

FTP connections jumping rule

soporteseguridad
L4 Transporter

‎06-14-2016 04:46 AM - edited ‎06-14-2016 04:53 AM

Hi,

 

we have 2 rules. the first one filtering by application FTP 

and the second one with the same source/destination like the rule above and using any/any permit.

 

We run ftp connections. all these FTP connections should match in the first rule filtering by FTP, but we see matches in the any/any rule too. 

 

In this rule should be match all the ftp connections (filter by FTP app, services any):

 

Captura1.JPG

but we see connections in this rule too (any/any)

 

Capturasegunda.JPG

 

Why all the connections FTP not using the same rule (first one)???

1 person had this problem.
0 Likes Likes
12 REPLIES 12

Transporter
L3 Networker

‎06-14-2016 05:35 AM

Hi,

 

Can you run the PCAP on the PA? Use filters to specify a particular host /IP and post the result.

 

Cheers,

 

0 Likes Likes

Raido_Rattameister
Cyber Elite
Cyber Elite
In response to Transporter

‎06-14-2016 06:22 AM

 

If during session application changes then unless you log at session start you see in log only last application identified.

For troubleshooting period can you open both of those policies and on the last tab (Actions) check both boxes "log at session start" and "log at session end"

Do you see only FTP in application field or Palo identifies it something else in the mean time?

After application shift rules are evaluated again and top rule should match again so strange issu but worth to try.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

soporteseguridad
L4 Transporter
In response to Raido_Rattameister

‎06-14-2016 06:34 AM

The app is FTP, but i dont know why the second rule is matching if all the connections should go through first rule...

0 Likes Likes

rmonvon
L6 Presenter
In response to soporteseguridad

‎06-14-2016 06:45 AM

Can you take a screensot of the 2 FTP rules so we can see them please.  Thanks.

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to soporteseguridad

‎06-14-2016 06:49 AM

Any chance you're running into an issue with the FTP rule not catching FTPs?

0 Likes Likes

soporteseguridad
L4 Transporter
In response to BPry

‎06-14-2016 06:56 AM

I attach both rules. Connections shoyuld only go through first rule, but we see FTP tries in the last one. Why? 

 

REGLAS FTP.jpg

0 Likes Likes

rmonvon
L6 Presenter
In response to soporteseguridad

‎06-14-2016 11:19 AM

From the rule screenshot, FTP should match 1st rule and not the 2nd rule as you pointed out.

 

Did you happen to add/modify the FTP rules during the time period in question?  If so, it may be that the FTP session matched 1 rule and a rule change occurred afterward which would not take effect on the existing FTP session.

 

If you're still seeing this behavior where FTP is matching rule2, I recommend opening a Support cast to have it diagnose.  Thanks.

 

 

0 Likes Likes

soporteseguridad
L4 Transporter
In response to rmonvon

‎06-15-2016 04:11 AM

I checked the NAT rule for this FTP server and its weird this NAT rule.

 

NAT.jpg

It should be a static NAT??? currently its configured with dynamic ip and port... maybe this can caused problems?? The connections take different source ip nat to go to internet.....

 

Maybe this could cause the problem?? i think for this FTP use we should use a static ftp ...

0 Likes Likes

Raido_Rattameister
Cyber Elite
Cyber Elite
In response to soporteseguridad

‎06-15-2016 04:27 AM

Is 195.5 address object?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

soporteseguridad
L4 Transporter
In response to Raido_Rattameister

‎06-15-2016 05:45 AM

No, its the IP iwth no object created. I think NAT is not well created.

 

 

0 Likes Likes

Transporter
L3 Networker
In response to soporteseguridad

‎06-15-2016 06:06 AM - edited ‎06-15-2016 06:07 AM

Hiya,

 

Kindly could you provide screenshots of the FTP sessions that hitting a correct policy and "any" "any" policy.

Example below:

 

example.png

0 Likes Likes

Raido_Rattameister
Cyber Elite
Cyber Elite
In response to Transporter

‎06-15-2016 07:20 AM

Can you also send screenshot of the session from session table.

Monitor > Session table

 

Click on the + sign to expand the view.

Session table view includes NAT policy used but traffic log screenshot does not.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes
  • 4457 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks