Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
1mm
Contributor

Fortigate SSH

Hello,

 

We have one Ubuntu Server there we have enabled SSH and now I'm trying to provide SSH access for some users, but I would like to apply application control to the rule. In rule I added SRC, DST, User Group and Port (TCP 22), then created application group, where I blocked all applications but enabled SSH Applications (did override), but users can't access to the server. But then I added to this application rule also one override rule, where select also "Canonical Ubuntu" application and then users received access.

 

But in this "Canonical Ubuntu" ( https://www.fortiguard.com/encyclopedia/iotapp/10000501 ) I see al lot of protocols (UDP, SNMP, TCP, HTTP, SSH) I need to provide access just to SSH. How I can do It. And also by best practice how do I need to create policy in such cases? 

14 REPLIES 14
srajeswaran

Thanks for the clarification @1mm . I am afraid this will be allowed.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
saneeshpv_FTNT

Hi,

 

As mentioned in my previous post, it shouldn't allow the HTTP on port 22 because you have application control enabled with "Canonincal Ubundu" which will not allow HTTP on non-standard port which is 22 here. So the traffic should ideally be blocked. You can test this and share your feedback 

 

Best Regards,

srajeswaran

I believe this option will fix the issue for you "'Block applications detected on non-default ports'."

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Port-enforcement-check/ta-p/196078

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
1mm
Contributor

And several additional questions:

1 - It's normal practice create an application profile, block all application categories and then enable (override) needed application (if you need to create policy based on application), correct?

2 - Why fortiget doesn't allow ssh with standard application and allowed with Canonical Ubuntu?

Are there any changes in Ubuntu for ssh? Are there some changes in SSH signatures from Ubuntu side and fortigate doesn't recognize it as "Standart" SSH? 

 

and thanks for workaround 'Block applications detected on non-default ports'."

 

@saneeshpv_FTNT Thanks for your reply, will check It. 

srajeswaran

1- is correct. General rule is block everything and allow only specific application/traffic.

2 - From your tests it looks like normal SSH and Standard SSH have some differences, but I am not sure what are the differences.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors