Can someone please explain why the "github-base" application depends on SSH?
We are running into a number of problems with web sites that are hosted on Github. Users want to get to these sites for legitimate reasons. IT people have also wanted to download Github projects. I don't have a problem with approving github-base, but we have no desire to approve SSH.
Any help or advice is appreciated.
Solved! Go to Solution.
So I could be wrong on this, however scp also uses port 22 and is identified by the PAN as SSH traffic. Not sure if github uses scp, however if it doesn then this could be the reason why. You could further lock down the policy for github to certain sites only?
unless Github provides a list of their public IPs and you limit your rule to them, then you will have to allow SSH globally unfortunatly.
Doesn't Github have a SSL/HTTP fallback method ?
This webpage lists the current IP address range used, so you could restrict SSH to this range:
Thanks for the replies. This is one of the websites that our PAs are blocking:
Note that this page isn't on GitHub itself. The source code for the project is on GitHub. Looking at the page's source, I see two links to GitHub - the "Source" link at the top and the "send and issue or pull request" link at the bottom. Both of these links use the HTML tag
<i class="fa fa-github"></i>
My HTML is pretty rusty, because I thought that <i> was for italics.
So I'm back to the original question, why do we need ssh enabled to use this site? For that matter, should we need the github-base app-ID enabled at all?
You don't need to allow SSH just to browse the website, but you will probably get a warning every time you commit some changes on the firewall (which you can ignore in your case). Even if you fork the repository, it will work as long as you use git with HTTPS and not SSH. The website seems to be hosted by Github, hence the github-base app for that traffic.
Thanks for the info; I wanted to wait until our primary firewall admin got back from vacation to discuss it with him. We agree that we could enable github-base without SSH and put up with the errors. However I disagree that the traffic application should be "github-base" in the first place since this is basically a straight HTTP site. We are going to open a ticket with PA tech support about that.
Haven't tried it yet but looks like a reasonable solution for restricting SSH to GitHub destinations.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!