Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lestopace
Staff
Staff

Created on ‎03-10-2021 11:09 PM

Article Id 197860

Technical Tip: Allowing SSH but blocking SFTP through port 22

Description
The Firewall has to run in Proxy Mode as SSH Proxy will be used.

Solution
Ensure firewall is on 'Proxy' mode.
System -> Setting.





Enable 'Explicit Proxy' in Feature Visibility.
System -> Setting -> Feature Visibility.




Create SSH profile from CLI.
# config firewall ssl-ssh-profile
(ssl-ssh-profile) # edit sshprofiledeepinspection
new entry 'sshprofiledeepinspection' added
(sshprofiledeepin~ion) # config ssh
(ssh) # set ssh-policy-check enable
(ssh) # set ssh-tun-policy-check enable
(ssh) # end
(sshprofiledeepin~ion) # end
Create SSH profile filter from CLI.
# config ssh-filter profile
 (profile) # edit sshfilterprofile
new entry 'sshfilterprofile' added
(sshfilterprofile) # set block sftp
(sshfilterprofile) # set log sftp
 (sshfilterprofile) # end
Configure Firewall Policy from Command line.
# config firewall policy
    edit 1
    set srcintf "port2"
    set dstintf "port1"
    set srcaddr "x.x.x.x"
    set dstaddr "AllowSSHy.y.y.y" "BlockedSFTPz.z.z.z"
    set action accept
    set schedule "always"
    set service "SSH"
    set utm-status enable
    set ssh-filter-profile "sshfilterprofile"
    set ssl-ssh-profile "sshprofiledeepinspection"
end
Configure Proxy Policy from Command line.
# config firewall proxy-policy
(proxy-policy) # edit 1
(1) # show full
    set proxy ssh
    set dstintf "port1"
    set srcaddr "x.x.x.x"
    set dstaddr "AllowSSHy.y.y.y" "BlockedSFTPz.z.z.z"
    set action accept
    set status enable
    set schedule "always"
    set utm-status enable
    set ssh-filter-profile "sshfilterprofile"
    set ssl-ssh-profile "sshprofiledeepinspection"
end
Troubleshooting.

Debug Flow.
# diagnose debug flow filter port 22
# diagnose debug flow trace start 999
# diagnose debug enable
Debug WAD.
# diagnose debug reset
# diagnose wad filter src x.x.x.x           <----- Source IP.
# diagnose debug console timestamp enable
# diagnose debug duration 240
# diagnose wad debug enable category ssh
# diagnose wad debug enable level verbose
# diagnose debug enable
Related document.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/745988/ssh-mitm-deep-inspection
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-firewall/Concepts%20-%20Firewall/SSL...

Labels:
4756
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.