Troubleshooting Tip: Allowing SSH but blocking SFTP through port 22
Description
This article describes how the firewall has to run in Proxy Mode as the SSH Proxy will be used.
Scope
FortiGate.
Solution
Ensure the firewall is in 'Proxy' mode under System -> Setting.
Enable 'Explicit Proxy' in Feature Visibility.
System -> Setting -> Feature Visibility.
System -> Setting -> Feature Visibility.
Create the SSH profile in the CLI.
config firewall ssl-ssh-profile
(ssl-ssh-profile) # edit sshprofiledeepinspection
new entry 'sshprofiledeepinspection' added
(sshprofiledeepin~ion) # config ssh
(ssh) # set ssh-policy-check enable
(ssh) # set ssh-tun-policy-check enable
(ssh) # end
(sshprofiledeepin~ion) # end
Create an SSH profile filter from the CLI.
config ssh-filter profile
(profile) # edit sshfilterprofile
new entry 'sshfilterprofile' added
(sshfilterprofile) # set block sftp
(sshfilterprofile) # set log sftp
(sshfilterprofile) # end
Configure Firewall Policy from Command line.
config firewall policy
edit 1
set srcintf "port2"
set dstintf "port1"
set srcaddr "x.x.x.x"
set dstaddr "AllowSSHy.y.y.y" "BlockedSFTPz.z.z.z"
set action accept
set schedule "always"
set service "SSH"
set utm-status enable
set ssh-filter-profile "sshfilterprofile"
set ssl-ssh-profile "sshprofiledeepinspection"
end
Configure Proxy Policy from Command line.
config firewall proxy-policy
(proxy-policy) # edit 1
(1) # show full
set proxy ssh
set dstintf "port1"
set srcaddr "x.x.x.x"
set dstaddr "AllowSSHy.y.y.y" "BlockedSFTPz.z.z.z"
set action accept
set status enable
set schedule "always"
set utm-status enable
set ssh-filter-profile "sshfilterprofile"
set ssl-ssh-profile "sshprofiledeepinspection"
end
Troubleshooting:
Debug flow:
diagnose debug reset
diagnose debug disable
diagnose debug flow filter port 22
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug flow trace start 999
diagnose debug enable
diagnose debug disable
diagnose debug flow filter port 22
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug flow trace start 999
diagnose debug enable
Debug WAD:
diagnose debug reset
diagnose wad filter src x.x.x.x <----- Source IP.
diagnose debug console timestamp enable
diagnose debug duration 240
diagnose wad debug enable category ssh
diagnose wad debug enable level verbose
diagnose debug enable
diagnose wad filter src x.x.x.x <----- Source IP.
diagnose debug console timestamp enable
diagnose debug duration 240
diagnose wad debug enable category ssh
diagnose wad debug enable level verbose
diagnose debug enable
To stop debugs:
diagnose debug reset
diagnose debug disable
Related document: