FTP session logged as 2 TCP sessions

Showing results for 
Show  only  | Search instead for 
Did you mean: 

FTP session logged as 2 TCP sessions

L5 Sessionator


I have a problem with the way PA handles FTP sessions. I have a general rule which allows privileged user groups to have full access to a certain network. So application and service in this rule is 'any'. One of the applications users will be using is FTP.

When I look at traffic logs i see 2 TCP session for each use of FTP application. Let's say client is at and FTP server at

Every time a client starts FTP session i see 2 TCP sessions in logs:

- TCP session from to

- followed by TCP session from to

I know FTP application consists of 2 TCP session. But shouldn't PA as an application firewall match DATA session with CONTROL session and regard them as single use of FTP application?

This will be a big issue when the traffic from the mentioned network towards user segment will be set to 'deny'. I don't think having to open port 20 towards user segment is the way to go on application firewall.

Best regards,



L7 Applicator

Hello Simon,

Could you please confirm the session type in both directions:

For an example:

vsys1                                [4501]/Untrust-ISP  ([4501])

63320        ssh            ACTIVE --------------- FLOW--------------------  ND[4030]/Untrust-ISP/6  ([4030])  >>>>>>>>>>>>>>>>>>>>> this is a flow session.

I hope the TCP session from to is not a flow session, it's a PRED ( predict session). So, the firewall is expecting a connection from the server on that port. This is part of ALG ( application layer gateway) functionality.

Hope this helps.

L6 Presenter

Hi Santonic,

Kindly provide us output for "show session all filter source destination". Make sure you have just started the FTP application.

As per issue, this output will generate two sessions. Then provide us output for "show session id <>" for both the sessions.

This will help us to determine root cause precisely.


Hardik Shah

Thanx for the tip, i'll try to catch such session live.

Do predicted sessions go into traffic log as a seperate (TCP) session?

Hello santonic,

As per my understanding, predict session will be not logged under traffic logs. It will be only appear in the session table.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!