| Description | This article describes the troubleshooting steps when SSH access to a Linux server is blocked by FortiEDR. |
| Scope | FortiEDR. |
| Solution |
When an SSH connection to a Linux host is blocked by FortiEDR, similar log messages as below can be observed:
"Fortinet Endpoint Detection and Response: Undefined operation was blocked for process /usr/sbin/sshd (pid : 6439)"
Troubleshoot: Since it is related to a blocked network connection, one possible reason would be it has been blocked by FortiEDR Communication control policies.
Below are the steps to troubleshoot the issue: In FortiEDR, go to Communication Control -> Policies, then identify which policy has been applied to the affected host's collector group.
If the relevant policy has any applications configured as 'denied' apps under the 'Affected apps', select the link to verify whether SSH appears on that list.
Once in the 'APPLICATIONS' page, search for the keyword 'SSH'.
If SSH is listed under blocked applications, SSH is blocked through the FortiEDR Communication control policies.
How to fix it: In FortiEDR, create an exception rule for the relevant Collector Group to allow SSH to the required Linux hosts. |
