SSH traffic file scanning
FortiGates can buffer, scan, log, or block files sent over SSH traffic (SCP and SFTP) depending on the file size, type, or contents (such as viruses or sensitive content).
This feature is supported in proxy-based inspection mode. It is currently not supported in flow-based inspection mode. |
You can configure the following SSH traffic settings in the CLI:
- Protocol options
- DLP profile
- Antivirus (profile and quarantine options)
To configure SSH protocol options:
config firewall profile-protocol-options edit <name> config ssh set options {oversize clientcomfort servercomfort} set comfort-interval <1 - 900> set comfort-amount <1 - 65535> set oversize-limit <1 - 798> set uncompressed-oversize-limit <0 - 798> set uncompressed-nest-limit <2 - 100> set scan-bzip2 {enable | disable} end next end
To configure SCP block and log options:
config ssh-filter profile edit <name> set block scp set log scp next end
To configure the DLP profile:
config dlp profile edit <name> set full-archive-proto ssh set summary-proto ssh config filter edit 1 set proto ssh next end next end
To configure the antivirus profile options:
config antivirus profile edit <name> config ssh set av-scan {disable | block | monitor} set outbreak-prevention {disable | block | monitor} set external-blocklist {disable | block | monitor} set fortindr {disable | block | monitor} set quarantine {enable | disable} set archive-block {encrypted corrupted partiallycorrupted multipart nested mailbomb timeout unhandled} set archive-log {encrypted corrupted partiallycorrupted multipart nested mailbomb timeout unhandled} set emulator {enable | disable} end next end
To configure the antivirus quarantine options:
config antivirus quarantine set drop-infected ssh set store-infected ssh set drop-blocked ssh set store-blocked ssh set drop-machine-learning ssh set store-machine-learning ssh end
To configure SCP block and log options:
config ssh-filter profile edit <name> set block scp set log scp next end
To apply the ssh-filter to a policy:
config firewall policy edit <id> set utm-status enable set inspection-mode proxy set ssh-filter-profile <ssh-filter profile> next end