This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

FTP session logged as 2 TCP sessions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FTP session logged as 2 TCP sessions

santonic
L5 Sessionator

‎10-28-2014 06:07 AM

Hello.

I have a problem with the way PA handles FTP sessions. I have a general rule which allows privileged user groups to have full access to a certain network. So application and service in this rule is 'any'. One of the applications users will be using is FTP.

When I look at traffic logs i see 2 TCP session for each use of FTP application. Let's say client is at 1.1.1.1 and FTP server at 2.2.2.2.

Every time a client starts FTP session i see 2 TCP sessions in logs:

- TCP session from 1.1.1.1:yyyy to 2.2.2.2:21

- followed by TCP session from 2.2.2.2:xxxx to 1.1.1.1:20


I know FTP application consists of 2 TCP session. But shouldn't PA as an application firewall match DATA session with CONTROL session and regard them as single use of FTP application?


This will be a big issue when the traffic from the mentioned network towards user segment will be set to 'deny'. I don't think having to open port 20 towards user segment is the way to go on application firewall.

Best regards,

Simon

Labels:
0 Likes Likes
19 REPLIES 19

HULK
L7 Applicator

‎10-28-2014 06:24 AM

Hello Simon,

Could you please confirm the session type in both directions:

For an example:

vsys1                                          199.167.52.5[4501]/Untrust-ISP  (199.167.52.5[4501])

63320        ssh            ACTIVE --------------- FLOW--------------------  ND   199.167.52.5[4030]/Untrust-ISP/6  (199.167.52.5[4030])  >>>>>>>>>>>>>>>>>>>>> this is a flow session.

I hope the TCP session from 2.2.2.2:xxxx to 1.1.1.1:20 is not a flow session, it's a PRED ( predict session). So, the firewall is expecting a connection from the server on that port. This is part of ALG ( application layer gateway) functionality.

Hope this helps.

hshah
L6 Presenter

‎10-28-2014 06:32 AM

Hi Santonic,

Kindly provide us output for "show session all filter source 1.1.1.1 destination 2.2.2.2:21". Make sure you have just started the FTP application.


As per issue, this output will generate two sessions. Then provide us output for "show session id <>" for both the sessions.


This will help us to determine root cause precisely.


Regards,

Hardik Shah

0 Likes Likes

santonic
L5 Sessionator
In response to HULK

‎10-28-2014 06:35 AM

Thanx for the tip, i'll try to catch such session live.

Do predicted sessions go into traffic log as a seperate (TCP) session?

0 Likes Likes

HULK
L7 Applicator
In response to santonic

‎10-28-2014 06:40 AM

Hello santonic,

As per my understanding, predict session will be not logged under traffic logs. It will be only appear in the session table.

Thanks

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks