- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- R81.20.05+ - SSH traffic is excluded from VPN
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R81.20.05+ - SSH traffic is excluded from VPN
As from R81.10.05, it seems SSH and SFTP (TCP/22) traffic originating from the gateway itself to a server behind a VPN tunnel is not put in the tunnel but sent out according to the routing table. Not sure what is causing this behavior, I do not find something in the release notes. Any ideas ?
- All firewalls are centrally managed.
- SSH is not excluded from VPN.
- no crypt.def is used.
- Same firewalls with same policy in the same community but on R81.10.00/R77.20.81/R80.20.35 do not have this issue.
- Behavior is seen in different environments.
- use case is sftp backup !
A TAC case is created.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"fw ctl set int accept_ssh_https_outgoing_clear 0" or clish -c "kernel-parameter set name accept_ssh_https_outgoing_clear type int value 0" solves the issue.
This kernel parameter seems to be introduced in R81.10.05, according to TAC an SK is submitted for approval but not yet published .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also read release notes/known issues and only thing for ssh is protection related to threat prevention, and as far as sftp, dont see anything.
Let us know what TAC says.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"fw ctl set int accept_ssh_https_outgoing_clear 0" or clish -c "kernel-parameter set name accept_ssh_https_outgoing_clear type int value 0" solves the issue.
This kernel parameter seems to be introduced in R81.10.05, according to TAC an SK is submitted for approval but not yet published .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for letting us know.
Andy