https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225530#M43399 <P>This is what I've done.&nbsp; I created a TCP service for port 2200, and did not select any protocol from the drop down menu.&nbsp; Configuring in this way was not sufficient to allow this traffic.&nbsp; I do get matches for "Accepted" but then a "Reject" right after it saying the version 1.x is not allowed message.</P> Tue, 03 Sep 2024 17:32:34 GMT Cypress 2024-09-03T17:32:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225525#M43395 <P>Hello.&nbsp; We are implementing a test environment currently, so new gateways and a new policy... and I'm running into a traffic Reject I haven't encountered before.&nbsp; The Reject shows as Blade: Firewall, and has no matching rule number, and for message information it says "SSH version 1.x is not allowed."</P><P>I have Googled for this specific message, and found&nbsp;sk30470.. unfortunately the solution provided in&nbsp;sk30470 doesn't seem to work for me!</P><P>The traffic being Rejected by Check Point is for a Juniper Networks EX-series network switch talking to "MIST Wired Assurance" cloud management platform on TCP/2200.</P><P>The Check Point gateway is Rejecting this traffic because "SSH version 1.x is not allowed."&nbsp; Ok, that is not ideal if MIST is truly using that protocol version, and that's something I can bring up with that vendor.. but in the mean time, I really have to be able to allow this traffic on the Gateway.&nbsp; The problem is, I cannot figure out how!&nbsp; The article sk30470 says to use the 'ssh' service object to match all versions of ssh, but this traffic is using a custom port 2200.&nbsp; So.. how do I work around this issue?&nbsp; When I Created a custom service object to match TCP/2200, I only see ssh2 in the drop down for protocols.</P><P>Is this something I have to make an exception for in Inspection Settings?&nbsp; In the past I have done an exception like "Non-HTTPS Traffic over an HTTPS port" but there doesn't seem to be a similar option for SSH version 1.x is not allowed."</P><P>Any help would be appreciated.&nbsp; Since this for a test gateway I do not feel it warrants a TAC case, but I haven't been able to figure this out yet...</P> Tue, 03 Sep 2024 17:08:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225525#M43395 Cypress 2024-09-03T17:08:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225526#M43396 <P>As soon as I started reading your post, inspection settings came to mind. Though, out of the box, setting is default, NOT recommended, but will have a look at the lab later to see whats there for ssh.</P> <P>Andy</P> Tue, 03 Sep 2024 17:21:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225526#M43396 the_rock 2024-09-03T17:21:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225527#M43397 <P>How does the rule look? Traffic hits now ''any'' services? If so try to make a custom TCP-2200 port and allow it with that.</P> <P>Also app blade enabled?&nbsp;</P> <P>You can also try to clone the default SSH services and change the port</P> Tue, 03 Sep 2024 17:23:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225527#M43397 Lesley 2024-09-03T17:23:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225528#M43398 <P>Why not create a simple TCP service without a protocol handler for ssh?</P> Tue, 03 Sep 2024 17:24:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225528#M43398 PhoneBoy 2024-09-03T17:24:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225530#M43399 <P>This is what I've done.&nbsp; I created a TCP service for port 2200, and did not select any protocol from the drop down menu.&nbsp; Configuring in this way was not sufficient to allow this traffic.&nbsp; I do get matches for "Accepted" but then a "Reject" right after it saying the version 1.x is not allowed message.</P> Tue, 03 Sep 2024 17:32:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225530#M43399 Cypress 2024-09-03T17:32:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225531#M43400 <P>I will give this a try cloning the ssh service and changing the port.</P><P>EDIT: This appears to have done the trick.&nbsp; Clone default ssh service and rename ssh_mist and changed the port to 2200 and now I am no longer seeing "Reject" in the logs.&nbsp; And both lab switches lit up green in my Mist console.&nbsp; (They were showing Red/Disconnected before)</P> Tue, 03 Sep 2024 19:09:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225531#M43400 Cypress 2024-09-03T19:09:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225532#M43401 <P>Would you mind send us a screenthot? Just please blur out any sensitive info. Btw, I did check in my lab and though my gateways are set to recommended inspection profile, there is absolutely nothing referenced for ssh.</P> <P>Andy</P> Tue, 03 Sep 2024 17:47:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225532#M43401 the_rock 2024-09-03T17:47:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225540#M43402 <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="ssh_not_allowed.JPG" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/27487iAA3234967DE3D4BA/image-size/medium?v=v2&amp;px=400" role="button" title="ssh_not_allowed.JPG" alt="ssh_not_allowed.JPG" /></span></P><P>&nbsp;</P><P>This screenshot shows the accept immediately followed by the reject.&nbsp; The accept matches the expected rule number and rule name, while the reject is blank for rule number/rule name.&nbsp; It's the blankness that confuses me.. what is blocking it?&nbsp; It is coming from the firewall blade but it's not an actual "rule block'&nbsp;</P> Tue, 03 Sep 2024 19:07:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225540#M43402 Cypress 2024-09-03T19:07:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225541#M43403 <P>Does it give more info if you double click on it?</P> Tue, 03 Sep 2024 19:09:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225541#M43403 the_rock 2024-09-03T19:09:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225551#M43405 <P>Lesleyy's suggestion of clone the default ssh service and change its port has fixed this issue.</P> Tue, 03 Sep 2024 21:27:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225551#M43405 Cypress 2024-09-03T21:27:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225554#M43406 <P>Great!</P> Tue, 03 Sep 2024 22:23:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-version-1-x-is-not-allowed/m-p/225554#M43406 the_rock 2024-09-03T22:23:45Z