I am testing the connection on command-line, using:
sftp -vvv user@example.com
This returns:
debug2: resolving "example.com" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to example.com [example.com] port 22. debug1: Connection established. .. debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4 ssh_exchange_identification: read: Connection reset by peer
(firewall dropped the connection)
Using an offsite VPN to the same connection:
debug1: kex: algorithm: diffie-hellman-group-exchange-sha1 debug1: kex: host key algorithm: (no match) Unable to negotiate with example.com port 22: no matching host key type found. Their offer: ssh-dss
(successful connection, but wrong algo)
Adding the legacy SSH flag while on the offsite VPN (sftp -vvv -oHostKeyAlgorithms=+ssh-dss user@example.com) returns:
The authenticity of host 'example.com (example.com)' can't be established. DSA key fingerprint is SHA256:snipped. Are you sure you want to continue connecting (yes/no)?
(success)
My question is: By what method can I allow this legacy connection through Fortigate to example.com?
I am using Fortigate 310B
User | Count |
---|---|
1883 | |
1141 | |
769 | |
447 | |
277 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.