https://community.checkpoint.com/t5/General-Topics/SSH-SCP-and-SFTP-traffic/m-p/245629#M41029 <P>Hi mates,</P><P>Like usual I come to you with 'stupid' questions <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>One of my customers has a problem: their users figured out that they can copy data by running SCP servers on well known ports. For example one users was running SCP on port 10443&nbsp; which was allowed by a more broad security policy and another one on port 8443 which was my mistake allowed by one miss configured security policy.</P><P>So my approach was to enable and use App Control blade with "OpenSSH" application customized to use only ssh and ssh_version_2.&nbsp; Just after this rule, another one with a cloned obiect of OpenSSH this time cutomized with "any" service.</P><P>This one fixed the issue.&nbsp; SSH is very strict in sources and destinations and therefore is not an issue.&nbsp; What the rule did was to block any other ssh/scp connection on different port and protocol other that 22 (which is by default not allowed).</P><P>But this one also broke the legit SCP/SFTP connections as the firewall sees those connections on tcp/22 but they have no signature to match "OpenSSH" application. And here is where I got stuck and I would really appreciate some help or guidance.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 03 Apr 2025 16:40:47 GMT melcu 2025-04-03T16:40:47Z https://community.checkpoint.com/t5/General-Topics/SSH-SCP-and-SFTP-traffic/m-p/245629#M41029 <P>Hi mates,</P><P>Like usual I come to you with 'stupid' questions <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>One of my customers has a problem: their users figured out that they can copy data by running SCP servers on well known ports. For example one users was running SCP on port 10443&nbsp; which was allowed by a more broad security policy and another one on port 8443 which was my mistake allowed by one miss configured security policy.</P><P>So my approach was to enable and use App Control blade with "OpenSSH" application customized to use only ssh and ssh_version_2.&nbsp; Just after this rule, another one with a cloned obiect of OpenSSH this time cutomized with "any" service.</P><P>This one fixed the issue.&nbsp; SSH is very strict in sources and destinations and therefore is not an issue.&nbsp; What the rule did was to block any other ssh/scp connection on different port and protocol other that 22 (which is by default not allowed).</P><P>But this one also broke the legit SCP/SFTP connections as the firewall sees those connections on tcp/22 but they have no signature to match "OpenSSH" application. And here is where I got stuck and I would really appreciate some help or guidance.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 03 Apr 2025 16:40:47 GMT https://community.checkpoint.com/t5/General-Topics/SSH-SCP-and-SFTP-traffic/m-p/245629#M41029 melcu 2025-04-03T16:40:47Z https://community.checkpoint.com/t5/General-Topics/SSH-SCP-and-SFTP-traffic/m-p/245632#M41031 <P>Is the "legitimate" SCP/SFTP to specific servers?<BR />Then create a specific rule for those servers allowing access using ssh_version_2 before the App Control rule you created.</P> Thu, 03 Apr 2025 16:47:24 GMT https://community.checkpoint.com/t5/General-Topics/SSH-SCP-and-SFTP-traffic/m-p/245632#M41031 PhoneBoy 2025-04-03T16:47:24Z