Hello Marcel,

Yes , SSH DPI can be used from R80.40 onwards in which AV & Sandblast can check inspection on SCP/FTP traffic which is new..

"SCP and SFTP file transfers can be scanned using SSH Deep Packet Inspection"

But any idea how will it show or make the SFTP Traffic inspection? or anyone have tried this SSH DPI in R80.40 having results?

Regards, Prabu

@Prabulingam_N1 Please read the guide, you should have all you need there. 
Also, we do have customers using this feature.

Hi Val,

Yes since my SFTP traffic from Peer side passes thru Tunnel and reaches CheckPoint - hope once CheckPoint decrypts then it can perform this inspection.

Let me try this once to see if really inspects or not.

Regards, Prabu

Most probably not. IPSec VPN tunnel here is an issue

Not that simple, but you can try anyway.

Dear Val,

I had setup SSH DPI as per Document.

Copied SFTP Server's Public/Private Key into FW and enabled thru command.

But how do I confirm if SFTP traffic gets Inspected or NOT.

No sign of related Logs on this traffic.

Regards, Prabu

Did you setup security rules for inspection as well?

Dear Val,

I had followed as per SSH DPI mentioned in R80.40 TP Admin guide.

Copied SFTP Server's Public/Private Key into FW and enabled thru command.

Enabled AntiVirus & IPS Blade

Also enabled the option in AV Profile settings: "Process All file Types"

Im able to upload Eicar test file into my Internal SFTP Server successfully, and FW did NOT do any inspection.

No rules as such in Policies to Inspect like we have for HTTPS Policy, only enabling SSH DPI via command.

You had mentioned some customer had used this feature, can you help me in getting those info.

Regards, Prabu

You need inspection rules. Follow Threat Prevention guide I have referenced before. If you have any issue, please reach out to your local Check Point office or open a support request with TAC

Concerning the references, you can look here, for example: https://community.checkpoint.com/t5/General-Topics/SSH-decryption-in-Check-Point-R80-20/m-p/48251#M9...

Also, what is your output for this? 

cpssh_config istatus

Hello Val,

Below the Output:

[Expert@FWSTDR8040:0]# cpssh_config istatus
SSH Inspection is enabled

[Expert@FWSTDR8040:0]# cpssh_config -q
This is available ID for set/get:
0: Global
1: KeyExchange
2: Cipher
3: Mac
4: Hostkey
[Global] Inspection_Enabled = 1
[Global] Port_fowarding_Enabled = 1
[Global] Inspection_Forced = 1
[Global] Connection_Timeout_Sec = 2000000000
[KeyExchange] diffie-hellman-group-exchange-sha1 = 1
[KeyExchange] diffie-hellman-group-exchange-sha256 = 1
[Cipher] aes128-cbc = 1
[Cipher] aes256-cbc = 1
[Cipher] aes128-gcm@openssh.com = 1
[Cipher] aes256-gcm@openssh.com = 1
[Mac] MD5 = 1
[Mac] SHA1 = 1
[Mac] SHA256 = 1
[Mac] SHA384 = 1
[Mac] SHA512 = 1
[Hostkey] ssh-rsa = 1
[Hostkey] rsa-sha2-256 = 1
[Hostkey] rsa-sha2-512 = 1
[Expert@FWSTDR8040:0]#

Regads, Prabu

Okay, its seems to be enabled. I have told you from the start, I see VPN being an issue here, but the best cause of action is to run this with TAC

Hello Val,

No worries.

I just did and got the result...Cool result in SSH DPI logs..

Traffic passing via VPN Tunnel.

Once FW decrypted, it gets into AV blade and got Prevented for Malware

(Used eicar.com file and uploaded into SFTP server via WinSCP in Client machine)

Regards, Prabu

Great, so what was the issue? Please share with us

Hello Val,

Performed Transparent method and could not get.

Hence made as "non-transparent inspected SSH server" using only Public key of Server onto FW  - got it.

And enabled the "Process file which contain known Malware" under AV Profile setting & worked.

No additional rule in FW rulebase (VPN Rule between both Encryption domains is enough)

Regards, Prabu

sounds logical, thanks

The documentation doesn't really explain the difference, but states how to achieve it.

transparent vs non-transparent ssh inspection

Is there any benefit to using transparent over non-transparent security wise? 

I'd say non-transparent is more secure since it doesn't require putting a private SSH key on the gateway.