Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
K_R_V
Collaborator
Jump to solution

R81.20.05+ - SSH traffic is excluded from VPN

As from R81.10.05, it seems SSH and SFTP (TCP/22) traffic originating from the gateway itself to a server behind a VPN tunnel is not put in the tunnel but sent out according to the routing table. Not sure what is causing this behavior, I do not find something in the release notes. Any ideas ?

  • All firewalls are centrally managed.
  • SSH is not excluded from VPN.
  • no crypt.def is used.
  • Same firewalls with same policy in the same community but on R81.10.00/R77.20.81/R80.20.35 do not have this issue.
  • Behavior is seen in different environments.
  • use case is sftp backup !

A TAC case is created.

0 Kudos
1 Solution

Accepted Solutions
K_R_V
Collaborator

"fw ctl set int accept_ssh_https_outgoing_clear 0" or clish -c "kernel-parameter set name accept_ssh_https_outgoing_clear type int value 0" solves the issue.

This kernel parameter seems to be introduced in R81.10.05, according to TAC an SK is submitted for approval but not yet published . 

View solution in original post

3 Replies
the_rock
Legend
Legend

I also read release notes/known issues and only thing for ssh is protection related to threat prevention, and as far as sftp, dont see anything.

Let us know what TAC says.

Andy

0 Kudos
K_R_V
Collaborator

"fw ctl set int accept_ssh_https_outgoing_clear 0" or clish -c "kernel-parameter set name accept_ssh_https_outgoing_clear type int value 0" solves the issue.

This kernel parameter seems to be introduced in R81.10.05, according to TAC an SK is submitted for approval but not yet published . 

the_rock
Legend
Legend

Thanks for letting us know.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events