Following host rules can deny all accesses other than ftp.The ftp access can be done but deny ftp operation after login.
er host 192.168.xxx.xxx audit(f) own(nobody)
auth host 192.168.xxx.xxx service(*) acc(n)
auth host 192.168.xxx.xxx service(ftp) acc(a)
date time D HOST 20089 169 3 192.168.xxx.xxx /usr/sbin/vsftpd
The access via port 20089 using ftp is denied in this case after ftp login though the access of ftp via port 21 can be done.
The port 20089 is used as ftp data port.
Privileged Identity Manager
The data port should be authorized also.
If the data port is defined as random port, it should be fixed something like 20000-21000.
And authorize the range of port on host rule:
auth host 192.168.xxx.xxx service(20000-21000) acc(a)