FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
darisandy
Staff
Staff
Description This article describes how to block SSH connection but allow SFTP while using the same TCP Port 22
Scope

- SSH traffic will use Putty

- SFTP traffic will use WinSCP

Solution

SSH and SFTP traffic use the same TCP port 22.

If there is a requirement to block SSH but allow SFTP, then please follow this step.

 

1). Firewall policy is in proxy-based inspection mode

 

2). Create SSL Inspection profile for deep inspection

 

config firewall ssl-ssh-profile
 edit "blockSSH-profile"

  config ssh
   set status deep-inspection
   set inspect-all deep-inspection
   set ssh-tun-policy-check enable
 end

end

 

3). Create a custom signature for WinSCP

     - Security Profiles > Application Signature > Create New

 

F-SBID( --name "WinSCP.custom"; --protocol tcp; --service SSH; --flow from_client; --seq =,1,relative; --pattern "SSH"; --distance 0, packet; --within 3, packet; --no_case; --pattern "WinSCP_release"; --distance 5; --within 14; --no_case; --weight 20; --app_cat 12; )

 

4). Create application control profile, with custom signature at the top with "Monitor" action, and "SSH" signature with "Block" action

 

app profile.PNG

 

5). Apply the SSL Inspection profile and application control profile to the intended firewall policy

 

config firewall policy
 edit 90
  set name "SSH"
  set srcintf "port1"
  set dstintf "port2"
  set srcaddr "all"
  set dstaddr "SFTP Server address"
  set action accept
  set schedule "always"
  set service "ALL"
  set utm-status enable
  set inspection-mode proxy
  set ssl-ssh-profile "blockSSH-profile"
  set application-list "blockSSH"
  set logtraffic all
  set nat enable
 next
end
 

Using putty, SSH will be blocked, but using WinSCP the SFTP traffic will be allowed.

If this step not working then please create a ticket to Fortinet Technical Support to investigate further.

   

 

Contributors