Palo Alto Networks Knowledgebase: Cannot Use 'ftp-data' as a Valid Application Selection for a Security Rule

Cannot Use 'ftp-data' as a Valid Application Selection for a Security Rule

6573
Created On 07/29/19 17:25 PM - Last Updated 07/29/19 17:52 PM
Policy
Resolution

Symptom

The term, ftp-data, cannot be used as a valid application identifier for a security rule or does not appear to exist in the application database.

Cause

This is the expected behavior, as FTP is a special app that uses ALG (Application Layer Gateway). This means that during the control part of the app, the ALG pinholes the data port that will be used and the type (active or passive). At this point, the ftp-data session is created. The Palo Alto Networks firewall will see the special sessions as predicted session, and the 'predict' flag should be visible under the type column for 'ftp-data'. This is the reason why this app cannot be found under the app list for configuration in the rule-base.

See the following example.

  • Output for:  > show session id 537793162  identifies the application as "ftp-data" (blue box in example).
  • While under Monitor > Traffic, Session ID 537793162 identifies the application as FTP (red box in example).

FTPvsFTP-Data.png

owner: kalavi



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsxCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language