Why does FTP traffic not match the configured rule for port 21
35439
Created On 09/05/19 19:35 PM - Last Modified 02/05/25 01:43 AM
Question
The configured rule for FTP only allows tcp port 21. Traffic logs indicate ports other than 21 being matched as well.
Environment
- PAN-OS
- FTP traffic
Answer
FTP is one of the application that uses ALG (Application Layer Gateway) where the data port is unknown and is negotiated during control session using port 21. During the control part of the app, ALG pinholes the data port that will be used and the type (active or passive). At this point FTP-data session is created. Firewall sees the special sessions as predicted session, and the 'predict' flag will be set. When data port is negotiated these predict session will be updated with the port number (ftp-data).
Logs report the negotiated port in the same rule as control session was allowed and is expected behaviour.
Refer Application level Gateways for details on ALG.
Additional Information
Refer ftp-data for additional details.