This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
K_R_V
Collaborator
‎2023-10-10 07:27 AM
Jump to solution

R81.20.05+ - SSH traffic is excluded from VPN

As from R81.10.05, it seems SSH and SFTP (TCP/22) traffic originating from the gateway itself to a server behind a VPN tunnel is not put in the tunnel but sent out according to the routing table. Not sure what is causing this behavior, I do not find something in the release notes. Any ideas ?

  • All firewalls are centrally managed.
  • SSH is not excluded from VPN.
  • no crypt.def is used.
  • Same firewalls with same policy in the same community but on R81.10.00/R77.20.81/R80.20.35 do not have this issue.
  • Behavior is seen in different environments.
  • use case is sftp backup !

A TAC case is created.

0 Kudos
1 Solution

Accepted Solutions
K_R_V
Collaborator
‎2023-10-11 04:47 AM
Jump to solution

"fw ctl set int accept_ssh_https_outgoing_clear 0" or clish -c "kernel-parameter set name accept_ssh_https_outgoing_clear type int value 0" solves the issue.

This kernel parameter seems to be introduced in R81.10.05, according to TAC an SK is submitted for approval but not yet published . 

View solution in original post

3 Replies
the_rock
MVP Diamond
MVP Diamond
‎2023-10-10 10:22 AM
Jump to solution

I also read release notes/known issues and only thing for ssh is protection related to threat prevention, and as far as sftp, dont see anything.

Let us know what TAC says.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
K_R_V
Collaborator
‎2023-10-11 04:47 AM
Jump to solution

"fw ctl set int accept_ssh_https_outgoing_clear 0" or clish -c "kernel-parameter set name accept_ssh_https_outgoing_clear type int value 0" solves the issue.

This kernel parameter seems to be introduced in R81.10.05, according to TAC an SK is submitted for approval but not yet published . 

the_rock
MVP Diamond
MVP Diamond
‎2023-10-11 04:59 AM
In response to K_R_V
Jump to solution

Thanks for letting us know.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events