FTP dumps of Packet captures are not being sent to the FTP server (Packet Monitor Logging Tab)
03/26/2020 15 13168
Even after configuring the Packet Monitor "Logging" tab to send FTP dumps of Packet captures to the FTP server, files are not being sent to the FTP server. The FTP server opens the data channel, but then returns a 425 error a second later, stating that it can't open data connection for transfer of the file.
When the message 150 occurs, stating that the data channel is open, this means the FTP server is expecting to see another FTP socket open and push the actual file via FTP. However, in the screenshot above, the firewall never opened the second socket. Instead the firewall fails to pass traffic to the destination for 10 seconds, then generates a RST/ACK packet to close the socket. This can occur if FTP transformations are not enabled for the FTP ports, but for a custom port.
(If FTP transformations do not use the default ports, this second socket from source port 49226 is not created. Note this new source port 49226 is 2 port numbers higher than the original socket's source port of 49224.)
Under Manage | Firewall Settings | Advanced Settings, Set the drop-down menu to use the object "FTP (All)".