FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ametkola
Staff
Staff
Article Id 334302
Description

 

This article describes how to solve SFTP connection failure with a proxy mode inspection policy and deep-inspection certificate.

 

Scope

 

FortiGate.

 

Solution

 

An example below shows when connecting to SFTP, a host key is prompted to load when an Antivirus UTM profile is applied to scan SFTP traffic with a Deep inspection profile.

 

1.PNG

 

save.PNG

 

SSH deep-scan under deep-inspection profile should be enabled.

 

3.PNG

 

 

Once the SSH port deep scan is enabled and proxy inspection mode is selected, this is the MITM model and SSH key authentication will fail.
Public key-based server authentication is not allowed if SSH deep inspection is enabled as this is the MITM model.
SSH proxy does not hold the users's private key so it cannot provide the same public key as the client offered for server authentication. This is the reason the key verification fails.

 

6.PNG

 

Delete the notepad file named 'known hosts' on the user machine and establish an SSH connection to the server again.

Open File Explorer -> Local Disk (C:) -> Users -> SSH File, it is possible to find the known_hosts user attempts.

 

4.PNG

 

 

5.PNG

 

The following workaround can also be applied: Disable the SSH Deep scan.

 

Another solution for this behavior is to add the server as a trusted host on FortiGate and import the public key.

On the SFTP server run the command :

 

ssh-keyscan -t ECDSA <IP_address_of_SFTP>

ecdsa-sha2-nistp256    <----  Check here the 'NID' so you can use it for the configuration of the host key.

 

config firewall ssh host-key
      edit "name"

           set hostname ''
           set status trusted
           set type ECDSA
           set nid 256
           set usage transparent-proxy
           set ip 'SFTP_server_IP'
           set port 22
           set public-key "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE5WUGOI0nhWF5wHo/ Jw4je7T7idLKWcXRm600utlsvpGfcqjQCuEs591YMSg+JQdvwsgfx5EFY8E4BNul3YA3U="
    next
end

 

In case facing the error below, it means there is a mismatch between the NID used and the public key.

 

public-key content is incorrect!
node_check_object fail! for public-key

 

Once those changes are performed,  monitor the stability of the SFTP connection.

 

Related document:

https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/277620/config-firewall-ssh-host-key