SSH file scan 6.2.2
File scanning over SSH traffic (SCP and SFTP) is part of firewall profile-protocol-options, ssh-filter profile, AV profile, and DLP sensor. FortiGate devices can buffer, scan, log, or block files sent over SCP and SFTP depending on its file-size, file-type, or file-contents (such as virus or sensitive contents).
This feature includes the following SSH settings in CLI:
- SSH protocol options in firewall
protocol-profileoptions. - SCP block/log options in
ssh-filter-profile. file-filterfeature added inssh-filter-profile.- SCP/SFTP options in DLP sensor.
- SSH scan options in AV profile.
- SSH AV quarantine options.
- Logs for SCP and SFTP traffic.
- Replacement message for SCP and SFTP traffic.
To configure SSH protocol options in firewall protocol-profile options:
config firewall profile-protocol-options
edit "protocol"
config ssh
set options [oversize | clientcomfort | servercomfort] <-- Block oversized file | prevent client/server timeout.
set comfort-interval [1 - 900] <-- Frequency in seconds that FGT periodically sends packet to client/server to prevent timeout.
set comfort-amount [1 - 65535] <-- Number of bytes to send in each transmission to prevent timeout.
set oversize-limit [1 - 798] <-- Maximum in-memory file size that can be scanned (MB).
set uncompressed-oversize-limit [0 - 798] <-- Maximum in-memory uncompressed file size that can be scanned.
set uncompressed-nest-limit [2 - 100] <-- Maximum nested levels of compression that can be uncompressed and scanned.
set scan-bzip2 [enable | disable] <-- Enable/disable scanning of BZip2 compressed files.
end
To configure SCP block/log options in ssh-filter-profile:
config ssh-filter profile
edit "ssh-test"
set block scp <-- Block scp traffic.
set log scp <-- Log scp traffic.
next
end
To configure file-filter feature added in ssh-filter-profile:
config ssh-filter profile
edit "ssh-test"
config file-filter
set status [enable | disable] <-- Enable/disable disable file-filter.
set log [enable | disable] <-- Enable/disable file-filter log.
set scan-archive-contents [enable | disable] <-- Allow FGT to scan contents of archive file.
config entries
edit "1"
set comment ''
set action [block | log] <-- Block/only log the file transfer.
set direction [incoming | outgoing | any] <-- Allow file-filter to take effect on incoming/outgoing/any traffic.
set password-protected [yes | any] <-- If 'yes', file-filter only matches password-protected archive files (encrypted zip).
set file-type "msoffice" <-- Choose file-types for file-filter to match.
next
end
end
next
end
To configure SCP/SFTP options in DLP sensor:
config dlp sensor
edit "test"
set full-archive-proto ssh <-- Allow dlp sensor to archive scp and sftp traffic.
set summary-proto ssh <-- Allow dlp sensor to summarize archive records information for scp and sftp traffic.
config filter
edit 1
set proto ssh <-- Allow dlp sensor to check files sent over scp and sftp.
next
end
next
end
To configure SSH scan options in AV profile:
config antivirus profile
edit "av"
config ssh <-- Allow FGT to scan scp and sftp traffic.
set options [scan | avmonitor | quarantine]
set archive-block [encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled] <-- Choose archive file types to block.
set archive-log [encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled] <-- Choose archive file types to log.
set emulator [enable | disable] <-- Enable/disable virus emulator.
set outbreak-prevention [disabled | files | full-archive] <-- Analyze (or not analyze) contents of archives for outbreak prevention.
end
next
end
To configure SSH AV quarantine options:
config antivirus quarantine set drop-infected ssh <-- Drop and delete infected files sent over scp and sftp. set store-infected ssh <-- Quarantine infected files sent over scp and sftp. set drop-blocked ssh <-- Drop and delete blocked files sent over scp and sftp. set store-blocked ssh <-- Quarantine blocked files sent over scp and sftp. set drop-heuristic ssh <-- Drop and delete files detected by heuristics sent over scp and sftp. set store-heuristic ssh <-- Quarantine files detected by heuristics sent over scp and sftp. end
To configure logs for SCP and SFTP traffic:
scp traffic blocked by ssh-filter profile:
1: date=2019-07-24 time=10:34:42 logid="1601061010" type="utm" subtype="ssh" eventtype="ssh-channel" level="warning" vd="vdom1" eventtime=1563989682560488314 tz="-0700" policyid=1 sessionid=2693 profile="ssh-test" srcip=10.1.100.11 srcport=33044 dstip=172.16.200.44 dstport=22 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 action="blocked" direction="outgoing" login="root" channeltype="scp"
scp traffic blocked by file-filter:
1: date=2019-07-24 time=10:36:44 logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="vdom1" eventtime=1563989804387444023 tz="-0700" policyid=1 sessionid=2732 srcip=10.1.100.11 srcport=33048 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.44 dstport=22 dstintf="port3" dstintfrole="undefined" proto=6 service="SSH" subservice="SCP" profile="ssh-test" direction="incoming" action="blocked" filtername="1" filename="test.xls" filesize=13824 filetype="msoffice" msg="File was blocked by file filter."
sftp traffic blocked by file-filter:
1: date=2019-07-24 time=10:43:58 logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="vdom1" eventtime=1563990238339440605 tz="-0700" policyid=1 sessionid=2849 srcip=10.1.100.11 srcport=33056 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.44 dstport=22 dstintf="port3" dstintfrole="undefined" proto=6 service="SSH" subservice="SFTP" profile="ssh-test" direction="incoming" action="blocked" filtername="1" filename="test.xls" filesize=13824 filetype="msoffice" msg="File was blocked by file filter."
scp traffic blocked by dlp sensor:
1: date=2019-07-24 time=10:41:23 logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" eventtime=1563990083875731367 tz="-0700" filteridx=1 filtername="test" dlpextra="builtin-patterns" filtertype="file-type" filtercat="file" severity="medium" policyid=1 sessionid=2809 epoch=1425775842 eventid=0 srcip=10.1.100.11 srcport=33052 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.44 dstport=22 dstintf="port3" dstintfrole="undefined" proto=6 service="SSH" subservice="SCP" filetype="msoffice" direction="incoming" action="block" filename="test.xls" filesize=13824 profile="test"
sftp traffic blocked by dlp sensor:
1: date=2019-07-24 time=10:42:42 logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" eventtime=1563990162266253784 tz="-0700" filteridx=1 filtername="test" dlpextra="builtin-patterns" filtertype="file-type" filtercat="file" severity="medium" policyid=1 sessionid=2838 epoch=1425775843 eventid=0 srcip=10.1.100.11 srcport=33054 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.44 dstport=22 dstintf="port3" dstintfrole="undefined" proto=6 service="SSH" subservice="SFTP" filetype="msoffice" direction="incoming" action="block" filename="test.xls" filesize=13824 profile="test"
scp traffic blocked by av profile:
1: date=2019-07-24 time=10:45:57 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1563990357330463670 tz="-0700" msg="File is infected." action="blocked" service="SSH" subservice="SCP" sessionid=2875 srcip=10.1.100.11 dstip=172.16.200.44 srcport=33064 dstport=22 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" policyid=1 proto=6 direction="incoming" filename="eicar.exe" checksum="53badd68" quarskip="No-skip" virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="av" analyticscksum="7fc2dfc5a2247d743556ef59abe3e03569a6241e2b1e44b9614fc764847fb637" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
sftp traffic blocked by av profile:
2: date=2019-07-24 time=10:45:46 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1563990346334781409 tz="-0700" msg="File is infected." action="blocked" service="SSH" subservice="SFTP" sessionid=2874 srcip=10.1.100.11 dstip=172.16.200.44 srcport=33062 dstport=22 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" policyid=1 proto=6 direction="incoming" filename="eicar.exe" checksum="53badd68" quarskip="No-skip" virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="av" analyticscksum="7fc2dfc5a2247d743556ef59abe3e03569a6241e2b1e44b9614fc764847fb637" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
antivirus quarantine list that triggered by infected file sent over scp/sftp:
CHECKSUM SIZE FIRST-TIMESTAMP LAST-TIMESTAMP SERVICE STATUS DC TTL FILENAME DESCRIPTION
53badd68 12939 2019-07-24 10:45 2019-07-24 10:45 SSH Infected 1 FOREVER 'eicar.exe' 'EICAR_TEST_FILE'
Replacement messages for SCP and SFTP traffic
|
SFTP download/upload does not display replacement message due to client behavior. SCP download does not currently display replacement message. |
Replacement message for scp upload blocked by av:
The file "eicar.exe" has been blocked because it contains the virus "EICAR_TEST_FILE".
Replacement message for scp upload blocked by file-filter:
The file "test.xls" has been blocked due to its file type or properties.
Replacement message for scp upload blocked by dlp:
The file "eicar.exe" has been blocked due to a detected data leak.