FortiGates can buffer, scan, log, or block files sent over SSH traffic (SCP and SFTP) depending on the file size, type, or contents (such as viruses or sensitive content).
This feature is supported in proxy-based inspection mode. It is currently not supported in flow-based inspection mode.
You can configure the following SSH traffic settings in the CLI:
- Protocol options
- DLP sensor
- Antivirus (profile and quarantine options)
config firewall profile-protocol-options edit "protocol" config ssh set options [oversize | clientcomfort | servercomfort] set comfort-interval [1 - 900] set comfort-amount [1 - 65535] set oversize-limit [1 - 798] set uncompressed-oversize-limit [0 - 798] set uncompressed-nest-limit [2 - 100] set scan-bzip2 [enable | disable] end next end
config ssh-filter profile edit "ssh-test" set block scp set log scp next end
config dlp sensor edit "test" set full-archive-proto ssh set summary-proto ssh config filter edit 1 set proto ssh next end next end
config antivirus profile edit "av" config ssh set options [scan | avmonitor | quarantine] set archive-block [encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled] set archive-log [encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled] set emulator [enable | disable] set outbreak-prevention [disabled | files | full-archive] end next end
config antivirus quarantine set drop-infected ssh set store-infected ssh set drop-blocked ssh set store-blocked ssh set drop-heuristic ssh set store-heuristic ssh end