SSH traffic file scanning
FortiGates can buffer, scan, log, or block files sent over SSH traffic (SCP and SFTP) depending on the file size, type, or contents (such as viruses or sensitive content).
|
This feature is supported in proxy-based inspection mode. It is currently not supported in flow-based inspection mode. |
You can configure the following SSH traffic settings in the CLI:
- Protocol options
- DLP sensor
- Antivirus (profile and quarantine options)
To configure SSH protocol options:
config firewall profile-protocol-options
edit <name>
config ssh
set options {oversize clientcomfort servercomfort}
set comfort-interval <1 - 900>
set comfort-amount <1 - 65535>
set oversize-limit <1 - 798>
set uncompressed-oversize-limit <0 - 798>
set uncompressed-nest-limit <2 - 100>
set scan-bzip2 {enable | disable}
end
next
end
To configure SCP block and log options:
config ssh-filter profile
edit <name>
set block scp
set log scp
next
end
To configure the DLP sensor:
config dlp sensor
edit <name>
set full-archive-proto ssh
set summary-proto ssh
config filter
edit 1
set proto ssh
next
end
next
end
To configure the antivirus profile options:
config antivirus profile
edit <name>
config ssh
set av-scan {disable | block | monitor}
set outbreak-prevention {disable | block | monitor}
set external-blocklist {disable | block | monitor}
set fortindr {disable | block | monitor}
set quarantine {enable | disable}
set archive-block {encrypted corrupted partiallycorrupted multipart nested mailbomb timeout unhandled}
set archive-log {encrypted corrupted partiallycorrupted multipart nested mailbomb timeout unhandled}
set emulator {enable | disable}
end
next
end
To configure the antivirus quarantine options:
config antivirus quarantine
set drop-infected ssh
set store-infected ssh
set drop-blocked ssh
set store-blocked ssh
set drop-machine-learning ssh
set store-machine-learning ssh
end