Description
This article describes how to solve SFTP connection failure with a proxy mode inspection policy and deep-inspection certificate.
Scope
FortiGate.
Solution
An example below shows when connecting to SFTP, a host key is prompted to load when an Antivirus UTM profile is applied to scan SFTP traffic with a Deep inspection profile.
SSH deep-scan under deep-inspection profile should be enabled.
Once the SSH port deep scan is enabled and proxy inspection mode is selected, this is the MITM model and SSH key authentication will fail.
Public key-based server authentication is not allowed if SSH deep inspection is enabled as this is the MITM model.
SSH proxy does not hold the users's private key so it cannot provide the same public key as the client offered for server authentication. This is the reason the key verification fails.
Delete the notepad file named 'known hosts' on the user machine and establish an SSH connection to the server again.
Open File Explorer -> Local Disk (C:) -> Users -> SSH File, it is possible to find the known_hosts user attempts.
The following workaround can also be applied: Disable the SSH Deep scan.
Another solution for this behavior is to add the server as a trusted host on FortiGate and import the public key.
On the SFTP server run the command :
ssh-keyscan -t ECDSA <IP_address_of_SFTP>
ecdsa-sha2-nistp256 <---- Check here the 'NID' so you can use it for the configuration of the host key.
config firewall ssh host-key
edit "name"
set hostname ''
set status trusted
set type ECDSA
set nid 256
set usage transparent-proxy
set ip 'SFTP_server_IP'
set port 22
set public-key "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE5WUGOI0nhWF5wHo/ Jw4je7T7idLKWcXRm600utlsvpGfcqjQCuEs591YMSg+JQdvwsgfx5EFY8E4BNul3YA3U="
next
end
In case facing the error below, it means there is a mismatch between the NID used and the public key.
public-key content is incorrect!
node_check_object fail! for public-key
Once those changes are performed, monitor the stability of the SFTP connection.
Related document:
https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/277620/config-firewall-ssh-host-key