This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
maddah87
Contributor
‎2024-01-16 12:03 AM
Jump to solution

Content awareness for SFTP

Need to check the possibility to inspect content on SFTP connection.

R81.20 admin guide doesn't show SFTP as supported protocols.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topic...

the exact requirement as below.

  1. Cx has a utility Which opens a web app in customer local machine and pass the file through the SFTP to Cx's side and it connecting to the server that located in DMZ.
  2. Requirement is to only allow such legitimate traffic and any other traffic from SFTP client tools should be disabled.
  3. It is encrypted with Cx’s public key and to be decrypted by the firewall and inspect the content too.
  4. Through the sftp tunnel limited file types should be allowed and any other types should be restricted.
0 Kudos
1 Solution

Accepted Solutions
maddah87
Contributor
‎2024-01-18 02:02 AM
In response to emmap
Jump to solution

Noted, Informed the SE and got the confirmation that specific requirement is not yet available and not in road map. Will ask to create a RFE

Thanks for the update on the same and will try the mentioned sk.

View solution in original post

0 Kudos
6 Replies
emmap
Employee
Employee
‎2024-01-16 12:36 AM
Jump to solution

Currently SSH Deep Packet Inspection (which can inspect inside an SFTP connection) only supports  Anti-Virus, IPS and Threat Emulation. What are the criteria for knowing which traffic is legitimate?

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/...

0 Kudos
maddah87
Contributor
‎2024-01-16 03:46 AM
In response to emmap
Jump to solution

Customer has developed an SFTP application which destinated to a specific external IP of the Check Point firewall. They wanted to allow only that SFTP and Block all other SFTP applications.

Through the SFTP they wanted all limited number of file types 

0 Kudos
the_rock
Legend
Legend
‎2024-01-16 05:41 AM
In response to maddah87
Jump to solution

I just enabled content awareness in the lab, but dont really see much related to sftp at all.

Best,

Andy

maddah87
Contributor
‎2024-01-18 02:05 AM
In response to the_rock
Jump to solution

thanks,

0 Kudos
emmap
Employee
Employee
‎2024-01-16 07:04 PM
In response to maddah87
Jump to solution

I don't know that we at the network/protocol inspection level have a way of distinguishing specific SFTP applications - they're likely all the same at the protocol level. This might be something that's more suitable to do at the application level, but please do work with your local SE on an RFE. 

File types can be blocked with AV or TE blade, which are both supported via SSH DPI, so that you can do today. With AV you can configure the Threat Prevention profile under AV > File Types an action per file type for supported files (bypass, inspect, block) or in TE you can add a list of prohibited file types. 

TE: https://support.checkpoint.com/results/sk/sk123140

maddah87
Contributor
‎2024-01-18 02:02 AM
In response to emmap
Jump to solution

Noted, Informed the SE and got the confirmation that specific requirement is not yet available and not in road map. Will ask to create a RFE

Thanks for the update on the same and will try the mentioned sk.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events