topic Re: R81.20.05+ - SSH traffic is excluded from VPN in Spark Firewall (SMB)

R81.20.05+ - SSH traffic is excluded from VPN

K_R_V — Tue, 10 Oct 2023 14:27:37 GMT

As from R81.10.05, it seems SSH and SFTP (TCP/22) traffic originating from the gateway itself to a server behind a VPN tunnel is not put in the tunnel but sent out according to the routing table. Not sure what is causing this behavior, I do not find something in the release notes. Any ideas ?

All firewalls are centrally managed.
SSH is not excluded from VPN.
no crypt.def is used.
Same firewalls with same policy in the same community but on R81.10.00/R77.20.81/R80.20.35 do not have this issue.
Behavior is seen in different environments.
use case is sftp backup !

A TAC case is created.

Re: R81.20.05+ - SSH traffic is excluded from VPN

the_rock — Tue, 10 Oct 2023 17:22:13 GMT

I also read release notes/known issues and only thing for ssh is protection related to threat prevention, and as far as sftp, dont see anything.

Let us know what TAC says.

Andy

Re: R81.20.05+ - SSH traffic is excluded from VPN

K_R_V — Wed, 11 Oct 2023 11:47:57 GMT

"fw ctl set int accept_ssh_https_outgoing_clear 0" or clish -c "kernel-parameter set name accept_ssh_https_outgoing_clear type int value 0" solves the issue.

This kernel parameter seems to be introduced in R81.10.05, according to TAC an SK is submitted for approval but not yet published .

Re: R81.20.05+ - SSH traffic is excluded from VPN

the_rock — Wed, 11 Oct 2023 11:59:30 GMT

Thanks for letting us know.

Andy