https://live.paloaltonetworks.com/t5/general-topics/want-to-allow-sftp-only-and-not-ssh-traffic/m-p/308466#M80019 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/116069">@SahulH</a> ,</P> <P>&nbsp;</P> <P>Yes there is indeed an open feature request for this (to differentiate SFTP from SSH in APP-ID).&nbsp;</P> <P>&nbsp;</P> <P>Please reach out to your local SE and have him add your vote to the FR:</P> <P><SPAN class="news-body-text"><SPAN><STRONG>FR ID:</STRONG> 2555</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="news-body-text">Cheers,</SPAN></P> <P><SPAN class="news-body-text">-Kiwi.</SPAN></P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Wed, 29 Jan 2020 11:35:41 GMT kiwi 2020-01-29T11:35:41Z https://live.paloaltonetworks.com/t5/general-topics/want-to-allow-sftp-only-and-not-ssh-traffic/m-p/308459#M80017 <P>Hi Team,</P><P>&nbsp;</P><P>I am trying to achieve my requirement however, unable to achieve it. Please review my requirement below and suggest your thoughts if there are any possible way to accomplish.</P><P>&nbsp;</P><P>I want to block SSH traffic and at the same time i need to allow SFTP traffic for our users. I have referred to some KB Article and that states in order to allow the SFTP traffic we need to allow SSH application. So if in this case Normal SSH Traffic also will get allowed. So please share your thoughts for the same.</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHtCAK" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHtCAK</A></P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOPCA0" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOPCA0</A></P><P>&nbsp;</P><P>Also i can see that, there is a feature request for creating a separate App ID for SFTP (Link Mentioned below). Can i know the status on that as well.</P><P>&nbsp;</P><P><SPAN class="collab-selectable-content-wrapper"><SPAN><A href="https://live.paloaltonetworks.com/t5/General-Topics/How-to-restrict-FTP-and-SFTP-access-using-a-security-policy/m-p/6617#M4837" target="_blank" rel="noopener noreferrer">https://live.paloaltonetworks.com/t5/General-Topics/How-to-restrict-FTP-and-SFTP-access-using-a-security-policy/m-p/6617#M4837</A></SPAN></SPAN></P><P>&nbsp;</P><P>Awaiting for your response !!</P><P>&nbsp;</P><P>Best Regards,</P><P>Sahul Hameed</P> Wed, 29 Jan 2020 11:19:39 GMT https://live.paloaltonetworks.com/t5/general-topics/want-to-allow-sftp-only-and-not-ssh-traffic/m-p/308459#M80017 SahulH 2020-01-29T11:19:39Z https://live.paloaltonetworks.com/t5/general-topics/want-to-allow-sftp-only-and-not-ssh-traffic/m-p/308466#M80019 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/116069">@SahulH</a> ,</P> <P>&nbsp;</P> <P>Yes there is indeed an open feature request for this (to differentiate SFTP from SSH in APP-ID).&nbsp;</P> <P>&nbsp;</P> <P>Please reach out to your local SE and have him add your vote to the FR:</P> <P><SPAN class="news-body-text"><SPAN><STRONG>FR ID:</STRONG> 2555</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="news-body-text">Cheers,</SPAN></P> <P><SPAN class="news-body-text">-Kiwi.</SPAN></P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Wed, 29 Jan 2020 11:35:41 GMT https://live.paloaltonetworks.com/t5/general-topics/want-to-allow-sftp-only-and-not-ssh-traffic/m-p/308466#M80019 kiwi 2020-01-29T11:35:41Z https://live.paloaltonetworks.com/t5/general-topics/want-to-allow-sftp-only-and-not-ssh-traffic/m-p/308470#M80020 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a> ,</P><P>&nbsp;</P><P>Thanks for your response on my query, Also i want to know is there of any way to accomplish the necessary requirement in our Current scenario without having a separate App ID for SFTP. To block SSH and allow only SFTP traffic. Do let us know on this as well.</P><P>&nbsp;</P><P>Thanks in advance !!</P><P>&nbsp;</P><P>Best Regards,</P><P>Sahul Hameed</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 29 Jan 2020 11:42:21 GMT https://live.paloaltonetworks.com/t5/general-topics/want-to-allow-sftp-only-and-not-ssh-traffic/m-p/308470#M80020 SahulH 2020-01-29T11:42:21Z https://live.paloaltonetworks.com/t5/general-topics/want-to-allow-sftp-only-and-not-ssh-traffic/m-p/308502#M80025 <P>Since SFTP is just FTP over SSH, it implicitly is just SSH. So without deeper inspection of the packets by the AppID enigne there is no way to a SSH terminal over SFTP.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 29 Jan 2020 14:56:52 GMT https://live.paloaltonetworks.com/t5/general-topics/want-to-allow-sftp-only-and-not-ssh-traffic/m-p/308502#M80025 RobinClayton 2020-01-29T14:56:52Z https://live.paloaltonetworks.com/t5/general-topics/want-to-allow-sftp-only-and-not-ssh-traffic/m-p/308531#M80034 <P>Hello,</P><P>How about a whitelist that allows your users to only sites that are approved?</P><P>&nbsp;</P><P>Just a thought.</P> Wed, 29 Jan 2020 16:20:43 GMT https://live.paloaltonetworks.com/t5/general-topics/want-to-allow-sftp-only-and-not-ssh-traffic/m-p/308531#M80034 OtakarKlier 2020-01-29T16:20:43Z https://live.paloaltonetworks.com/t5/general-topics/want-to-allow-sftp-only-and-not-ssh-traffic/m-p/308700#M80070 <P>Agreed!&nbsp; SFTP is just an FTP feature traversing over SSH.&nbsp; They are essentially the same protocol.&nbsp; You would have to have some crazy man-in-the-middle encrypt/decrypt to even attempt this.&nbsp; This sounds a lot like security engineer over-reach or misunderstanding of protocols.</P> Thu, 30 Jan 2020 14:51:59 GMT https://live.paloaltonetworks.com/t5/general-topics/want-to-allow-sftp-only-and-not-ssh-traffic/m-p/308700#M80070 jeremy.larsen 2020-01-30T14:51:59Z