Issue with correct FTP application detection

cancel
Showing results for 
Search instead for 
Did you mean: 

Issue with correct FTP application detection

L1 Bithead

Hello Everyone!

 

We have a pair of PA-5260 (Panos 9.1.4) between 2 security zones serving primarily the traffic to a file buffer.

About 90% of the traffic is FTP  with server side being a load balancer IP.

With a small fraction of traffic we experience an issue where an absolutely standard acttive FTP data flow fails to be recognized by the PA as an FTP session and appears in the logs as an "unknown-ftp" flow. For each and every such flow there is a common attribute - session end reason is "tcp-reuse". I believe, in our scenario with limited number of source/destination IPs it is not so unexpected to run into a condition when the same ip/port 4-tuple gets reused within the short period of time. The problem is that this "unknown-tcp" application  flow gets dropped by the configured ruleset, which causes transmission problems for the users, because their transfers fail once in a while. 

As a workaround, I have implemented the L4 rule allowing an "unknown-tcp" from port 20 to a client's IP range, which on once side fixed the problem, but on the other side - allowed this subset of flows to pass the firewall uninspected.

I opened the TAC case and after the troubleshooting session the verdict was that we need to configure the application override for FTP app. And this is where I want to ask for more clarifications. TAC engineers explanation was only that it will fix all our problems and improve the performance. But I still struggle to understand how. In my understanding, app override is required when there is some non-standard app, which a user wants to define and maybe provide signatures for deeper inspection. Another use case, as I understand it, would be if a known app is running on non-standard ports, and for this scenario, there is a drop-down list input for the parent app in the App Override dialog box.  Both of these use cases don't quite match our scenario. We have an absolutely standard active FTP, that uses ports 21 and 20 for control and data respectively.

As I undetrstood, if we wouldn't set the FTP as "parent app" in the app override definition, it would catch all the FTP traffic by the overridden FTP app, but without any NG inspection. This would obviously would improve the performance, but disabling the NG inspection is not what we want!

 

Or am I lacking some understanding? Can anybody explain how an app override configuration for standard FTP ports would help us?

 

Thanks!

 

 

 

4 REPLIES 4

Cyber Elite
Cyber Elite

@OleksZuban,

It wouldn't outside of stopping the firewall at L4 inspection instead of full L7, which is "fixing" the issue but as you already stated likely not in the way you are hoping. If the common factor is tcp-reuse you, you could override/customize the TCP Time Wait configured on the application getting identified (1 second is as low as you can go here).

Thank you for the advice! Decreasing the Time Wait sounds much more reasonable. But are there any downsides?

 

In principle, Is there a hope that Palo Alto will fix the application detection under the TCP reuse condition, or am I missing some fundamental issue rendering this fix impossible?

It could be an anomaly in the 9.1.4 software.  have you considered upgrading to 9.1.9?

 

I am running 10.1.0 and I have this issue (but then again... I am on very bleeding edge software as well. :P)

 

 

Help the community: Like helpful comments and mark solutions

Yes, we havre plans to upgrade, but in our production environment it takes a lot of time to plan and perform it. 

As for the dynamic updates - we upgraded at latest and it made no difference.

 


@SteveCantwell wrote:

I am running 10.1.0 and I have this issue (but then again... I am on very bleeding edge software as well. :P)


this does not sound too promising

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!