Hi mates,
Like usual I come to you with 'stupid' questions 🙂
One of my customers has a problem: their users figured out that they can copy data by running SCP servers on well known ports. For example one users was running SCP on port 10443 which was allowed by a more broad security policy and another one on port 8443 which was my mistake allowed by one miss configured security policy.
So my approach was to enable and use App Control blade with "OpenSSH" application customized to use only ssh and ssh_version_2. Just after this rule, another one with a cloned obiect of OpenSSH this time cutomized with "any" service.
This one fixed the issue. SSH is very strict in sources and destinations and therefore is not an issue. What the rule did was to block any other ssh/scp connection on different port and protocol other that 22 (which is by default not allowed).
But this one also broke the legit SCP/SFTP connections as the firewall sees those connections on tcp/22 but they have no signature to match "OpenSSH" application. And here is where I got stuck and I would really appreciate some help or guidance.