topic Re: Content awareness for SFTP in Firewall and Security Management

Content awareness for SFTP

maddah87 — Tue, 16 Jan 2024 08:03:48 GMT

Need to check the possibility to inspect content on SFTP connection.

R81.20 admin guide doesn't show SFTP as supported protocols.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topics-FWG/Content-Awareness-Blade.htm

the exact requirement as below.

Cx has a utility Which opens a web app in customer local machine and pass the file through the SFTP to Cx's side and it connecting to the server that located in DMZ.
Requirement is to only allow such legitimate traffic and any other traffic from SFTP client tools should be disabled.
It is encrypted with Cx’s public key and to be decrypted by the firewall and inspect the content too.
Through the sftp tunnel limited file types should be allowed and any other types should be restricted.

Re: Content awareness for SFTP

emmap — Tue, 16 Jan 2024 08:36:55 GMT

Currently SSH Deep Packet Inspection (which can inspect inside an SFTP connection) only supports Anti-Virus, IPS and Threat Emulation. What are the criteria for knowing which traffic is legitimate?

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/Content/Topics-TPG/Using-SSH-Inspection_Custom.htm

Re: Content awareness for SFTP

maddah87 — Tue, 16 Jan 2024 11:46:08 GMT

Customer has developed an SFTP application which destinated to a specific external IP of the Check Point firewall. They wanted to allow only that SFTP and Block all other SFTP applications.

Through the SFTP they wanted all limited number of file types

Re: Content awareness for SFTP

the_rock — Tue, 16 Jan 2024 13:41:34 GMT

I just enabled content awareness in the lab, but dont really see much related to sftp at all.

Best,

Andy

Re: Content awareness for SFTP

emmap — Wed, 17 Jan 2024 03:04:07 GMT

I don't know that we at the network/protocol inspection level have a way of distinguishing specific SFTP applications - they're likely all the same at the protocol level. This might be something that's more suitable to do at the application level, but please do work with your local SE on an RFE.

File types can be blocked with AV or TE blade, which are both supported via SSH DPI, so that you can do today. With AV you can configure the Threat Prevention profile under AV > File Types an action per file type for supported files (bypass, inspect, block) or in TE you can add a list of prohibited file types.

TE: https://support.checkpoint.com/results/sk/sk123140

Re: Content awareness for SFTP

maddah87 — Thu, 18 Jan 2024 10:02:23 GMT

Noted, Informed the SE and got the confirmation that specific requirement is not yet available and not in road map. Will ask to create a RFE

Thanks for the update on the same and will try the mentioned sk.

Re: Content awareness for SFTP

maddah87 — Thu, 18 Jan 2024 10:05:37 GMT

thanks,