Troubleshooting Tip: SFTP connections are failing whenever the Web Filter is enabled

When the 'Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex' feature is enabled in the Web Filter, this may cause SFTP connections to fail unexpectedly. 

This is due to a known issue being tracked under #1191728. If there are no logs that show the FortiGate blocking this session and this option is enabled, it is possible this is the issue. This should also only occur when the policy is in Flow mode.

If Safe Search needs to stay enabled, switch the policy to Proxy-based mode as a workaround, or create a new policy with the SFTP server as the destination with no Web Filter enabled. 

It is possible to confirm this by taking an IPS debug filtered to the SFTP traffic. See Troubleshooting Tip: IPS engine new debug commands.

The following is some example output of the issue occurring. It is possible to see the FortiGate tear down the session after it is established, usually with 'reason 3' in the output:

[13003@551268]ips_run_decode: ips_pkt_id: 15601321
0000 45 20 00 5C B3 CB 00 00 2E 06 1A 98 AC D2 A4 15 E .\............
0010 0A 0A 63 27 00 16 D4 78 58 30 A5 E1 A5 0F AE 3D ..c'...xX0.....=
0020 50 18 00 10 D3 16 00 00 53 53 48 2D 32 2E 30 2D P.......SSH-2.0-
0030 39 2E 39 39 20 46 6C 6F 77 53 73 68 3A 20 42 69 9.99 FlowSsh: Bi
0040 74 76 69 73 65 20 53 53 48 20 53 65 72 76 65 72 tvise SSH Server
0050 20 28 57 69 6E 53 53 48 44 29 0D 0A (WinSSHD)..
[13003@551268]ips_run_session_verdict_check: serial=223278493 session is ACTIVE
[13003@551268]ips_transit_tcp_state: (C:ESTABLISHED S:ESTABLISHED) <- ACK --
[13003@551268]ips_handle_tcp_action: (C:ESTABLISHED S:ESTABLISHED) act=NONE
[13003@551268]ips_process_event: ctx 18: 0 => 3
[13003@551268]check_session_bypass: serial=223278493 ignored: no interest
[13003@551268]ips_set_pkt_verdict: action=PASS_SESSION
[13003@551268]ips_handle_pkt_verdict: pass a session, size=92
[13003@551268]ips_session_sched_release: serial=223278493 close session 0x7f74e62698, reason 3