Cannot Use 'ftp-data' as a Valid Application Selection for a Security Rule
The term, ftp-data, cannot be used as a valid application identifier for a security rule or does not appear to exist in the application database.
This is the expected behavior, as FTP is a special app that uses ALG (Application Layer Gateway). This means that during the control part of the app, the ALG pinholes the data port that will be used and the type (active or passive). At this point, the ftp-data session is created. The Palo Alto Networks firewall will see the special sessions as predicted session, and the 'predict' flag should be visible under the type column for 'ftp-data'. This is the reason why this app cannot be found under the app list for configuration in the rule-base.
See the following example.
- Output for: > show session id 537793162 identifies the application as "ftp-data" (blue box in example).
- While under Monitor > Traffic, Session ID 537793162 identifies the application as FTP (red box in example).