FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to enable SSH traffic file scanning.
Solution FortiGates can buffer, scan, log, or block files sent over SSH traffic (SCP and SFTP) depending on the file size, type, or contents (such as viruses or sensitive content).
Configure the following SSH traffic settings from CLI: - Protocol options. - DLP sensor. - Antivirus (profile and quarantine options).
To configure SSH protocol options.
# config firewall profile-protocol-options edit "protocol" # config ssh set options [oversize | clientcomfort | servercomfort] set comfort-interval [1 - 900] set comfort-amount [1 - 65535] set oversize-limit [1 - 798] set uncompressed-oversize-limit [0 - 798] set uncompressed-nest-limit [2 - 100] set scan-bzip2 [enable | disable] end next end
To configure SCP block and log options.
# config ssh-filter profile edit "ssh-test" set block scp set log scp next end
To configure the DLP sensor.
# config dlp sensor edit "test" set full-archive-proto ssh set summary-proto ssh # config filter edit 1 set proto ssh next end next end
To configure the antivirus profile options.
# config antivirus profile edit "av" # config ssh set options [scan | avmonitor | quarantine] set archive-block [encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled] set archive-log [encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled] set emulator [enable | disable] set outbreak-prevention [disabled | files | full-archive] end next end
To configure the antivirus quarantine options.
# config antivirus quarantine set drop-infected ssh set store-infected ssh set drop-blocked ssh set store-blocked ssh set drop-heuristic ssh set store-heuristic ssh end
Internal Notes This feature is supported in proxy-based inspection mode. It is currently not supported in flow-based inspection mode.
