FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 199640
Description This article describes how to block SSH connection but allow SFTP while using the same TCP Port 22

- SSH traffic will use Putty

- SFTP traffic will use WinSCP


SSH and SFTP traffic use the same TCP port 22.

If there is a requirement to block SSH but allow SFTP, then please follow this step.


1). Firewall policy is in proxy-based inspection mode


2). Create SSL Inspection profile for deep inspection


config firewall ssl-ssh-profile
 edit "blockSSH-profile"

  config ssh
   set status deep-inspection
   set inspect-all deep-inspection
   set ssh-tun-policy-check enable



3). Create a custom signature for WinSCP

     - Security Profiles > Application Signature > Create New


F-SBID( --name "WinSCP.custom"; --protocol tcp; --service SSH; --flow from_client; --seq =,1,relative; --pattern "SSH"; --distance 0, packet; --within 3, packet; --no_case; --pattern "WinSCP_release"; --distance 5; --within 14; --no_case; --weight 20; --app_cat 12; )


4). Create application control profile, with custom signature at the top with "Monitor" action, and "SSH" signature with "Block" action


app profile.PNG


5). Apply the SSL Inspection profile and application control profile to the intended firewall policy


config firewall policy
 edit 90
  set name "SSH"
  set srcintf "port1"
  set dstintf "port2"
  set srcaddr "all"
  set dstaddr "SFTP Server address"
  set action accept
  set schedule "always"
  set service "ALL"
  set utm-status enable
  set inspection-mode proxy
  set ssl-ssh-profile "blockSSH-profile"
  set application-list "blockSSH"
  set logtraffic all
  set nat enable

Using putty, SSH will be blocked, but using WinSCP the SFTP traffic will be allowed.

If this step not working then please create a ticket to Fortinet Technical Support to investigate further.