Technical Tip : How to block SSH but allow SFTP using the same TCP port 22

- SSH traffic will use Putty

- SFTP traffic will use WinSCP

SSH and SFTP traffic use the same TCP port 22.

If there is a requirement to block SSH but allow SFTP, then please follow this step.

1). Firewall policy is in proxy-based inspection mode

2). Create SSL Inspection profile for deep inspection

config firewall ssl-ssh-profile
 edit "blockSSH-profile"

  config ssh
   set status deep-inspection
   set inspect-all deep-inspection
   set ssh-tun-policy-check enable
 end

end

3). Create a custom signature for WinSCP

     - Security Profiles > Application Signature > Create New

F-SBID( --name "WinSCP.custom"; --protocol tcp; --service SSH; --flow from_client; --seq =,1,relative; --pattern "SSH"; --distance 0, packet; --within 3, packet; --no_case; --pattern "WinSCP_release"; --distance 5; --within 14; --no_case; --weight 20; --app_cat 12; )

4). Create application control profile, with custom signature at the top with "Monitor" action, and "SSH" signature with "Block" action

5). Apply the SSL Inspection profile and application control profile to the intended firewall policy

config firewall policy
 edit 90
  set name "SSH"
  set srcintf "port1"
  set dstintf "port2"
  set srcaddr "all"
  set dstaddr "SFTP Server address"
  set action accept
  set schedule "always"
  set service "ALL"
  set utm-status enable
  set inspection-mode proxy
  set ssl-ssh-profile "blockSSH-profile"
  set application-list "blockSSH"
  set logtraffic all
  set nat enable
 next
end
 

Using putty, SSH will be blocked, but using WinSCP the SFTP traffic will be allowed.

If this step not working then please create a ticket to Fortinet Technical Support to investigate further.