FTP session logged as 2 TCP sessions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

FTP session logged as 2 TCP sessions

L6 Presenter

Hello.

I have a problem with the way PA handles FTP sessions. I have a general rule which allows privileged user groups to have full access to a certain network. So application and service in this rule is 'any'. One of the applications users will be using is FTP.

When I look at traffic logs i see 2 TCP session for each use of FTP application. Let's say client is at 1.1.1.1 and FTP server at 2.2.2.2.

Every time a client starts FTP session i see 2 TCP sessions in logs:

- TCP session from 1.1.1.1:yyyy to 2.2.2.2:21

- followed by TCP session from 2.2.2.2:xxxx to 1.1.1.1:20


I know FTP application consists of 2 TCP session. But shouldn't PA as an application firewall match DATA session with CONTROL session and regard them as single use of FTP application?


This will be a big issue when the traffic from the mentioned network towards user segment will be set to 'deny'. I don't think having to open port 20 towards user segment is the way to go on application firewall.

Best regards,

Simon

19 REPLIES 19

To clarify my scenario, I was seeing FTP traffic incoming (appeared to be initiated from an internet source which is an untrust zone for us) and being allowed to one of our NAT ips and logged under our outbound rule. This didn't make sense as all traffic incoming from the internet (untrust zone) to our NAT ip is set to deny and logged under a different rule. Under further investigation it was determined this FTP traffic was initiated from an internal device (trusted zone) which normal for us and is set to allow and the inbound untrust zone traffic in question was in fact the return traffic. As someone mentioned the traffic appears in pairs. If I were to do a screen shot of this type traffic it would look the same as yours above. I did not have to create a rule to allow the return FTP traffic back.  If untrust zone traffic were to initiate a FTP session to our NAT ip this traffic would be dropped under or deny rule. Hope this helps.

Hi Santonic,

FTP and FTP-data session ID doesnt have to be similar. The can be different. So based on session ID you can not determine if they are in pair.

If FTP application generates multiple session than they are allowed. Let me know if his helps.

Regards,

Hardik Shah

Hello Santonic,

The session IDs will be different. The control channel will be 'Parent Session' and the data channel will be 'child session'. But they work together ie the child session will be (predicted and converted to Active Flow) based on the parent session. Here is a sample output of child session:

> show session id 685

Session 685    <<<<<<<<<<<<<<<< Child Session ID

c2s flow:

source: 192.168.23.215 [trust-L3]

dst: 10.66.22.169

proto: 6

sport: 64047 dport: 24492

state: ACTIVE type: FLOW

src user: unknown

dst user: unknown

s2c flow:

source: 10.66.22.169 [dmz-L3]

dst: 10.66.22.23

proto: 6

sport: 24492 dport: 2671

state: ACTIVE type: FLOW

src user: unknown

dst user: unknown

start time : Sat Mar 29 06:51:52 2014

timeout : 30 sec

time to live : 24 sec

total byte count(c2s) : 25293

total byte count(s2c) : 69890

layer7 packet count(c2s) : 416

layer7 packet count(s2c) : 461

vsys : vsys1

application : ftp-data

rule : trust-2-dmz

session to be logged at end : True

session in session ager : True

session synced from HA peer : False

address/port translation : source + destination

nat-rule : nat-trust-2-dmz(vsys1)

layer7 processing : completed

URL filtering enabled : False

session via prediction : True

use parent's policy : True

parent session : 683    <<<<<<<<<<<<<<<<<<<<<<<<< Parent session ID

refresh parent session : True

session via syn-cookies : False

session terminated on host : False

session traverses tunnel : False

captive portal session : False

ingress interface : ethernet1/4

egress interface : ethernet1/5

Let us know if that helps and if you have any questions.

Regards,

Dileep

Yes. Dileep is correct. Just to add to it, in an FTP connection, there will be only one control connection, but may have multiple data-connectiones for each transaction. For an example, after successful login, if you apply  LS (directory listing)/PUT/GET, every time it will create different data connections.

Thanks

L6 Presenter

Thanx all for your replies, they've been really helpful.

  • 9506 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!