10-28-2014 06:07 AM
I have a problem with the way PA handles FTP sessions. I have a general rule which allows privileged user groups to have full access to a certain network. So application and service in this rule is 'any'. One of the applications users will be using is FTP.
When I look at traffic logs i see 2 TCP session for each use of FTP application. Let's say client is at 188.8.131.52 and FTP server at 184.108.40.206.
Every time a client starts FTP session i see 2 TCP sessions in logs:
- TCP session from 220.127.116.11:yyyy to 18.104.22.168:21
- followed by TCP session from 22.214.171.124:xxxx to 126.96.36.199:20
I know FTP application consists of 2 TCP session. But shouldn't PA as an application firewall match DATA session with CONTROL session and regard them as single use of FTP application?
This will be a big issue when the traffic from the mentioned network towards user segment will be set to 'deny'. I don't think having to open port 20 towards user segment is the way to go on application firewall.
10-28-2014 06:24 AM
Could you please confirm the session type in both directions:
For an example:
vsys1 188.8.131.52/Untrust-ISP (184.108.40.206)
63320 ssh ACTIVE --------------- FLOW-------------------- ND 220.127.116.11/Untrust-ISP/6 (18.104.22.168) >>>>>>>>>>>>>>>>>>>>> this is a flow session.
I hope the TCP session from 22.214.171.124:xxxx to 126.96.36.199:20 is not a flow session, it's a PRED ( predict session). So, the firewall is expecting a connection from the server on that port. This is part of ALG ( application layer gateway) functionality.
Hope this helps.
10-28-2014 06:32 AM
Kindly provide us output for "show session all filter source 188.8.131.52 destination 184.108.40.206:21". Make sure you have just started the FTP application.
As per issue, this output will generate two sessions. Then provide us output for "show session id <>" for both the sessions.
This will help us to determine root cause precisely.
10-28-2014 06:35 AM
Thanx for the tip, i'll try to catch such session live.
Do predicted sessions go into traffic log as a seperate (TCP) session?
10-28-2014 06:40 AM
As per my understanding, predict session will be not logged under traffic logs. It will be only appear in the session table.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!