SSH tunnels are very helpful to tunnel required traffic through a working SSH connection.

Pro:

• If SSH is already working, other traffic can be routed through it without the need for additional rules / policy install

Prerequisites:

• SSH tunneling needs to be enabled
  • temporarily: sed -i 's/^AllowTcpForwarding no/AllowTcpForwarding yes/' /etc/ssh/sshd_config && sshd restart
  • permanently: see sk106031
• Host Access / GUI Clients might need to be adjusted to allow connections from the system that tunnels the traffic (source ip or 127.0.0.1 in case your tunnel's destination is the local system)
• SSH session timeout should be unset while tunneling traffic via: unset TMOUT

Use cases:

• Troubleshooting connectivity issues
  • Example: if your normal SmartConsole connection to the SmartCenter Server doesn't work anymore (VPN down or something else) but you can still connect to the firewall gateway via SSH, you can simply tunnel SmartConsole connections through the gateway
• .. 

Establishing a SSH tunnel:

• Example for a SmartConsole connection:
  • According to sk52421 ports 443, 18190, 18210 and 19009 need to be tunneled to the SmartCenter Server
  • the Putty way:
    
  • recent Windows versions have an OpenSSH client built-in, so you can also open a CMD terminal and establish an SSH tunnel via CLI using the ssh -L parameter
  • and of course any other SSH client of your choice should work as well
  • after the SSH tunnel is established you can then start SmartConsole like this and the traffic is piped through the SSH tunnel: