Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Cypress
Contributor
Jump to solution

SSH version 1.x is not allowed

Hello.  We are implementing a test environment currently, so new gateways and a new policy... and I'm running into a traffic Reject I haven't encountered before.  The Reject shows as Blade: Firewall, and has no matching rule number, and for message information it says "SSH version 1.x is not allowed."

I have Googled for this specific message, and found sk30470.. unfortunately the solution provided in sk30470 doesn't seem to work for me!

The traffic being Rejected by Check Point is for a Juniper Networks EX-series network switch talking to "MIST Wired Assurance" cloud management platform on TCP/2200.

The Check Point gateway is Rejecting this traffic because "SSH version 1.x is not allowed."  Ok, that is not ideal if MIST is truly using that protocol version, and that's something I can bring up with that vendor.. but in the mean time, I really have to be able to allow this traffic on the Gateway.  The problem is, I cannot figure out how!  The article sk30470 says to use the 'ssh' service object to match all versions of ssh, but this traffic is using a custom port 2200.  So.. how do I work around this issue?  When I Created a custom service object to match TCP/2200, I only see ssh2 in the drop down for protocols.

Is this something I have to make an exception for in Inspection Settings?  In the past I have done an exception like "Non-HTTPS Traffic over an HTTPS port" but there doesn't seem to be a similar option for SSH version 1.x is not allowed."

Any help would be appreciated.  Since this for a test gateway I do not feel it warrants a TAC case, but I haven't been able to figure this out yet...

0 Kudos
1 Solution

Accepted Solutions
Lesley
Leader Leader
Leader

How does the rule look? Traffic hits now ''any'' services? If so try to make a custom TCP-2200 port and allow it with that.

Also app blade enabled? 

You can also try to clone the default SSH services and change the port

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

10 Replies
the_rock
Legend
Legend

As soon as I started reading your post, inspection settings came to mind. Though, out of the box, setting is default, NOT recommended, but will have a look at the lab later to see whats there for ssh.

Andy

0 Kudos
Lesley
Leader Leader
Leader

How does the rule look? Traffic hits now ''any'' services? If so try to make a custom TCP-2200 port and allow it with that.

Also app blade enabled? 

You can also try to clone the default SSH services and change the port

-------
If you like this post please give a thumbs up(kudo)! 🙂
Cypress
Contributor

I will give this a try cloning the ssh service and changing the port.

EDIT: This appears to have done the trick.  Clone default ssh service and rename ssh_mist and changed the port to 2200 and now I am no longer seeing "Reject" in the logs.  And both lab switches lit up green in my Mist console.  (They were showing Red/Disconnected before)

0 Kudos
PhoneBoy
Admin
Admin

Why not create a simple TCP service without a protocol handler for ssh?

0 Kudos
Cypress
Contributor

This is what I've done.  I created a TCP service for port 2200, and did not select any protocol from the drop down menu.  Configuring in this way was not sufficient to allow this traffic.  I do get matches for "Accepted" but then a "Reject" right after it saying the version 1.x is not allowed message.

0 Kudos
the_rock
Legend
Legend

Would you mind send us a screenthot? Just please blur out any sensitive info. Btw, I did check in my lab and though my gateways are set to recommended inspection profile, there is absolutely nothing referenced for ssh.

Andy

0 Kudos
Cypress
Contributor

ssh_not_allowed.JPG

 

This screenshot shows the accept immediately followed by the reject.  The accept matches the expected rule number and rule name, while the reject is blank for rule number/rule name.  It's the blankness that confuses me.. what is blocking it?  It is coming from the firewall blade but it's not an actual "rule block' 

0 Kudos
the_rock
Legend
Legend

Does it give more info if you double click on it?

0 Kudos
Cypress
Contributor

Lesleyy's suggestion of clone the default ssh service and change its port has fixed this issue.

the_rock
Legend
Legend

Great!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events