Alan, that article is titled "Configuring FTP service over non-standard ports", which is exactly what I stated earlier:
All ScreenOS documentation references the use of the application command in a policy when using non-standard ports for a particular application
I just did a passive ftp transfer using my existing policy that doesn't have the Application FTP command and it went through without a hitch. Attached is a sample of the debug flow:
netscreen-> get policy id 64
name:"FTP/NTP/SSH" (id 64), zone Trust -> Untrust,action Permit, status "enabled"
1 source: "10.0.0.0/8_trust"
1 destination: "Any"
3 services: "FTP", "NTP", "SSH"
Policies on this vpn tunnel: 0
nat src, Web filtering disabled
****** 4234301.0: <Trust/ethernet0/0> packet received [48]******
ipid = 12035(2f03), @2e5a9110
packet passed sanity check.
ethernet0/0:10.1.100.246/2634->209.xxx.229.58/21,6<Root>
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
[ Dest] 14.route 10.1.100.246->10.0.254.254, to ethernet0/0
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 10.1.100.246->209.xxx.229.58) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 13.route 209.xxx.229.58->63.xxx.28.1, to ethernet6/0
routed (x_dst_ip 209.xxx.229.58) from ethernet0/0 (ethernet0/0 in 0) to ethernet6/0
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 209.xxx.229.58, port 21, proto 6)
No SW RPC rule match, search HW rule
Permitted by policy 64
dip id = 2, 10.1.100.246/2634->63.xxx.28.5/5800
choose interface ethernet6/0 as outgoing phy if
no loop on ifp ethernet6/0.
session application type 1, name FTP, nas_id 0, timeout 1800sec
ALG vector is attached service lookup identified service 1.
flow_first_final_check: in <ethernet0/0>, out <ethernet6/0>
existing vector list 83-66d4630.
Session (id:62327) created for first pak 83
flow_first_install_session======>
route to 63.xxx.28.1
arp entry found for 63.xxx.28.1
nsp2 wing prepared, ready
cache mac in the session
make_nsp_ready_no_resolve()
search route to (ethernet6/0, 209.xxx.229.58->10.1.100.246) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/0
[ Dest] 14.route 10.1.100.246->10.0.254.254, to ethernet0/0
route to 10.0.254.254
flow got session.
flow session id 62327
Got syn, 10.1.100.246(2634)->209.xxx.229.58(21), nspflag 0x801801, 0x800800
flow_send_vector_, vid = 0, is_layer2_if=0
.
.
.
.
.
.
.
.
.
.
.
PASSIVE FTP starts here****** 4234301.0: <Trust/ethernet0/0> packet received [48]******
ipid = 12048(2f10), @2e6a0910
packet passed sanity check.
ethernet0/0:10.1.100.246/2635->209.xxx.229.58/64769,6<Root>
no session found flow_first_sanity_check: in <ethernet0/0>, out <N/A>
[ Dest] 14.route 10.1.100.246->10.0.254.254, to ethernet0/0
vsd (0) is active,
make hole active active hole found make_nsp_ready_no_resolve()
route to 63.xxx.28.1
existing vector list 83-66d4630.
flow_first_install_session======>
make_nsp_ready_no_resolve()
route to 10.0.254.254
flow got session.
flow session id 62507
Got syn, 10.1.100.246(2635)->209.xxx.229.58(64769), nspflag 0x801801, 0x800800
flow_send_vector_, vid = 0, is_layer2_if=0
****** 4234301.0: <Untrust/ethernet6/0> packet received [48]******
ipid = 25394(6332), @2e50a910
packet passed sanity check.
ethernet6/0:209.xxx.229.58/64769->63.xxx.28.5/2635,6<Root>
existing session found. sess token 6
flow got session.
flow session id 62507
Got syn_ack, 209.xxx.229.58(64769)->63.xxx.28.5(2635), nspflag 0x801800, 0x801801
flow_send_vector_, vid = 0, is_layer2_if=0
****** 4234301.0: <Trust/ethernet0/0> packet received [40]******
ipid = 12050(2f12), @2e504910
packet passed sanity check.
ethernet0/0:10.1.100.246/2635->209.xxx.229.58/64769,6<Root>
existing session found. sess token 4
flow got session.
flow session id 62507
Got ack, 10.1.100.246(2635)->209.xxx.229.58(64769), natpflag 0x1000, nspflag 0x801801, 0x801800, timeout=900
Observations:
-ScreenOS activates the FTP ALG automatically if FTP is specified as a service in the policy
- ScreenOS creates a temporary session as part of the FTP ALG permitting ports >1023 between client and server
- This temporary session is closed immediately once the transfer is complete
- The client's source port is not port-translated during the PASSIVE FTP