Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    6.2.5
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.0
    6.0.0
    5.6.0
    5.4.0

    SSH traffic file scanning

    SSH traffic file scanning

    FortiGates can buffer, scan, log, or block files sent over SSH traffic (SCP and SFTP) depending on the file size, type, or contents (such as viruses or sensitive content).

    Note

    This feature is supported in proxy-based inspection mode. It is currently not supported in flow-based inspection mode.

    You can configure the following SSH traffic settings in the CLI:

    • Protocol options
    • Filter profile (SCP block/log options and file filter)
    • DLP sensor
    • Antivirus (profile and quarantine options)
    To configure SSH protocol options:
    config firewall profile-protocol-options
    edit "protocol"
        config ssh
           set options [oversize | clientcomfort | servercomfort]
           set comfort-interval [1 - 900]
           set comfort-amount [1 - 65535]
           set oversize-limit [1 - 798]
           set uncompressed-oversize-limit [0 - 798]
           set uncompressed-nest-limit [2 - 100]
           set scan-bzip2 [enable | disable]
        end
    next
end
    To configure SCP block and log options:
    config ssh-filter profile
    edit "ssh-test"
        set block scp
        set log scp
    next
end
    To configure the SSH file filter:
    config ssh-filter profile
    edit "ssh-test"
        config file-filter
            set status [enable | disable]
            set log [enable | disable]
            set scan-archive-contents [enable | disable]
            config entries
                edit "1"
                    set comment ''
                    set action [block | log]
                    set direction [incoming | outgoing | any]
                    set password-protected [yes | any]
                    set file-type "msoffice"
                next
            end
        end
    next
end
    To configure the DLP sensor:
    config dlp sensor
    edit "test"
        set full-archive-proto ssh
        set summary-proto ssh
        config filter
            edit 1
                set proto ssh
            next
        end
    next
end
    To configure the antivirus profile options:
    config antivirus profile
    edit "av"
        config ssh
            set options [scan | avmonitor | quarantine]    
            set archive-block [encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled]
            set archive-log [encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled]
            set emulator [enable | disable]
            set outbreak-prevention [disabled | files | full-archive]
        end
    next
end
    To configure the antivirus quarantine options:
    config antivirus quarantine
    set drop-infected ssh
    set store-infected ssh
    set drop-blocked ssh
    set store-blocked ssh
    set drop-heuristic ssh
    set store-heuristic ssh
end

    Sample logs

    SCP traffic blocked by ssh-filter profile:
    1: date=2019-07-24 time=10:34:42 logid="1601061010" type="utm" subtype="ssh" eventtype="ssh-channel" level="warning" vd="vdom1" eventtime=1563989682560488314 tz="-0700" policyid=1 sessionid=2693 profile="ssh-test" srcip=10.1.100.11 srcport=33044 dstip=172.16.200.44 dstport=22 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 action="blocked" direction="outgoing" login="root" channeltype="scp"
    SCP traffic blocked by file-filter:
    1: date=2019-07-24 time=10:36:44 logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="vdom1" eventtime=1563989804387444023 tz="-0700" policyid=1 sessionid=2732 srcip=10.1.100.11 srcport=33048 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.44 dstport=22 dstintf="port3" dstintfrole="undefined" proto=6 service="SSH" subservice="SCP" profile="ssh-test" direction="incoming" action="blocked" filtername="1" filename="test.xls" filesize=13824 filetype="msoffice" msg="File was blocked by file filter."
    SFTP traffic blocked by file-filter:
    1: date=2019-07-24 time=10:43:58 logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="vdom1" eventtime=1563990238339440605 tz="-0700" policyid=1 sessionid=2849 srcip=10.1.100.11 srcport=33056 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.44 dstport=22 dstintf="port3" dstintfrole="undefined" proto=6 service="SSH" subservice="SFTP" profile="ssh-test" direction="incoming" action="blocked" filtername="1" filename="test.xls" filesize=13824 filetype="msoffice" msg="File was blocked by file filter."
    SCP traffic blocked by dlp sensor:
    1: date=2019-07-24 time=10:42:42 logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" eventtime=1563990162266253784 tz="-0700" filteridx=1 filtername="test" dlpextra="builtin-patterns" filtertype="file-type" filtercat="file" severity="medium" policyid=1 sessionid=2838 epoch=1425775843 eventid=0 srcip=10.1.100.11 srcport=33054 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.44 dstport=22 dstintf="port3" dstintfrole="undefined" proto=6 service="SSH" subservice="SFTP" filetype="msoffice" direction="incoming" action="block" filename="test.xls" filesize=13824 profile="test"
    SFTP traffic blocked by dlp sensor:
    1: date=2019-07-24 time=10:41:23 logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" eventtime=1563990083875731367 tz="-0700" filteridx=1 filtername="test" dlpextra="builtin-patterns" filtertype="file-type" filtercat="file" severity="medium" policyid=1 sessionid=2809 epoch=1425775842 eventid=0 srcip=10.1.100.11 srcport=33052 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.44 dstport=22 dstintf="port3" dstintfrole="undefined" proto=6 service="SSH" subservice="SCP" filetype="msoffice" direction="incoming" action="block" filename="test.xls" filesize=13824 profile="test"
    SCP traffic blocked by antivirus profile:
    1: date=2019-07-24 time=10:45:57 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1563990357330463670 tz="-0700" msg="File is infected." action="blocked" service="SSH" subservice="SCP" sessionid=2875 srcip=10.1.100.11 dstip=172.16.200.44 srcport=33064 dstport=22 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" policyid=1 proto=6 direction="incoming" filename="eicar.exe" checksum="53badd68" quarskip="No-skip" virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="av" analyticscksum="7fc2dfc5a2247d743556ef59abe3e03569a6241e2b1e44b9614fc764847fb637" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
    SFTP traffic blocked by antivirus profile:
    2: date=2019-07-24 time=10:45:46 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1563990346334781409 tz="-0700" msg="File is infected." action="blocked" service="SSH" subservice="SFTP" sessionid=2874 srcip=10.1.100.11 dstip=172.16.200.44 srcport=33062 dstport=22 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" policyid=1 proto=6 direction="incoming" filename="eicar.exe" checksum="53badd68" quarskip="No-skip" virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="av" analyticscksum="7fc2dfc5a2247d743556ef59abe3e03569a6241e2b1e44b9614fc764847fb637" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
    Antivirus quarantine list triggered by infected files sent over SCP/SFTP:
    CHECKSUM SIZE     FIRST-TIMESTAMP  LAST-TIMESTAMP   SERVICE STATUS     DC       TTL           FILENAME DESCRIPTION
53badd68 12939    2019-07-24 10:45 2019-07-24 10:45 SSH     Infected    1   FOREVER    'eicar.exe' 'EICAR_TEST_FILE'
    Previous
    Next

    SSH traffic file scanning

    SSH traffic file scanning

    FortiGates can buffer, scan, log, or block files sent over SSH traffic (SCP and SFTP) depending on the file size, type, or contents (such as viruses or sensitive content).

    Note

    This feature is supported in proxy-based inspection mode. It is currently not supported in flow-based inspection mode.

    You can configure the following SSH traffic settings in the CLI:

    • Protocol options
    • Filter profile (SCP block/log options and file filter)
    • DLP sensor
    • Antivirus (profile and quarantine options)
    To configure SSH protocol options:
    config firewall profile-protocol-options
    edit "protocol"
        config ssh
           set options [oversize | clientcomfort | servercomfort]
           set comfort-interval [1 - 900]
           set comfort-amount [1 - 65535]
           set oversize-limit [1 - 798]
           set uncompressed-oversize-limit [0 - 798]
           set uncompressed-nest-limit [2 - 100]
           set scan-bzip2 [enable | disable]
        end
    next
end
    To configure SCP block and log options:
    config ssh-filter profile
    edit "ssh-test"
        set block scp
        set log scp
    next
end
    To configure the SSH file filter:
    config ssh-filter profile
    edit "ssh-test"
        config file-filter
            set status [enable | disable]
            set log [enable | disable]
            set scan-archive-contents [enable | disable]
            config entries
                edit "1"
                    set comment ''
                    set action [block | log]
                    set direction [incoming | outgoing | any]
                    set password-protected [yes | any]
                    set file-type "msoffice"
                next
            end
        end
    next
end
    To configure the DLP sensor:
    config dlp sensor
    edit "test"
        set full-archive-proto ssh
        set summary-proto ssh
        config filter
            edit 1
                set proto ssh
            next
        end
    next
end
    To configure the antivirus profile options:
    config antivirus profile
    edit "av"
        config ssh
            set options [scan | avmonitor | quarantine]    
            set archive-block [encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled]
            set archive-log [encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled]
            set emulator [enable | disable]
            set outbreak-prevention [disabled | files | full-archive]
        end
    next
end
    To configure the antivirus quarantine options:
    config antivirus quarantine
    set drop-infected ssh
    set store-infected ssh
    set drop-blocked ssh
    set store-blocked ssh
    set drop-heuristic ssh
    set store-heuristic ssh
end

    Sample logs

    SCP traffic blocked by ssh-filter profile:
    1: date=2019-07-24 time=10:34:42 logid="1601061010" type="utm" subtype="ssh" eventtype="ssh-channel" level="warning" vd="vdom1" eventtime=1563989682560488314 tz="-0700" policyid=1 sessionid=2693 profile="ssh-test" srcip=10.1.100.11 srcport=33044 dstip=172.16.200.44 dstport=22 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 action="blocked" direction="outgoing" login="root" channeltype="scp"
    SCP traffic blocked by file-filter:
    1: date=2019-07-24 time=10:36:44 logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="vdom1" eventtime=1563989804387444023 tz="-0700" policyid=1 sessionid=2732 srcip=10.1.100.11 srcport=33048 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.44 dstport=22 dstintf="port3" dstintfrole="undefined" proto=6 service="SSH" subservice="SCP" profile="ssh-test" direction="incoming" action="blocked" filtername="1" filename="test.xls" filesize=13824 filetype="msoffice" msg="File was blocked by file filter."
    SFTP traffic blocked by file-filter:
    1: date=2019-07-24 time=10:43:58 logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="vdom1" eventtime=1563990238339440605 tz="-0700" policyid=1 sessionid=2849 srcip=10.1.100.11 srcport=33056 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.44 dstport=22 dstintf="port3" dstintfrole="undefined" proto=6 service="SSH" subservice="SFTP" profile="ssh-test" direction="incoming" action="blocked" filtername="1" filename="test.xls" filesize=13824 filetype="msoffice" msg="File was blocked by file filter."
    SCP traffic blocked by dlp sensor:
    1: date=2019-07-24 time=10:42:42 logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" eventtime=1563990162266253784 tz="-0700" filteridx=1 filtername="test" dlpextra="builtin-patterns" filtertype="file-type" filtercat="file" severity="medium" policyid=1 sessionid=2838 epoch=1425775843 eventid=0 srcip=10.1.100.11 srcport=33054 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.44 dstport=22 dstintf="port3" dstintfrole="undefined" proto=6 service="SSH" subservice="SFTP" filetype="msoffice" direction="incoming" action="block" filename="test.xls" filesize=13824 profile="test"
    SFTP traffic blocked by dlp sensor:
    1: date=2019-07-24 time=10:41:23 logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" eventtime=1563990083875731367 tz="-0700" filteridx=1 filtername="test" dlpextra="builtin-patterns" filtertype="file-type" filtercat="file" severity="medium" policyid=1 sessionid=2809 epoch=1425775842 eventid=0 srcip=10.1.100.11 srcport=33052 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.44 dstport=22 dstintf="port3" dstintfrole="undefined" proto=6 service="SSH" subservice="SCP" filetype="msoffice" direction="incoming" action="block" filename="test.xls" filesize=13824 profile="test"
    SCP traffic blocked by antivirus profile:
    1: date=2019-07-24 time=10:45:57 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1563990357330463670 tz="-0700" msg="File is infected." action="blocked" service="SSH" subservice="SCP" sessionid=2875 srcip=10.1.100.11 dstip=172.16.200.44 srcport=33064 dstport=22 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" policyid=1 proto=6 direction="incoming" filename="eicar.exe" checksum="53badd68" quarskip="No-skip" virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="av" analyticscksum="7fc2dfc5a2247d743556ef59abe3e03569a6241e2b1e44b9614fc764847fb637" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
    SFTP traffic blocked by antivirus profile:
    2: date=2019-07-24 time=10:45:46 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1563990346334781409 tz="-0700" msg="File is infected." action="blocked" service="SSH" subservice="SFTP" sessionid=2874 srcip=10.1.100.11 dstip=172.16.200.44 srcport=33062 dstport=22 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" policyid=1 proto=6 direction="incoming" filename="eicar.exe" checksum="53badd68" quarskip="No-skip" virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="av" analyticscksum="7fc2dfc5a2247d743556ef59abe3e03569a6241e2b1e44b9614fc764847fb637" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
    Antivirus quarantine list triggered by infected files sent over SCP/SFTP:
    CHECKSUM SIZE     FIRST-TIMESTAMP  LAST-TIMESTAMP   SERVICE STATUS     DC       TTL           FILENAME DESCRIPTION
53badd68 12939    2019-07-24 10:45 2019-07-24 10:45 SSH     Infected    1   FOREVER    'eicar.exe' 'EICAR_TEST_FILE'
    Previous
    Next