12-15-2015 11:32 AM
Hi all,
Can someone please explain why the "github-base" application depends on SSH?
We are running into a number of problems with web sites that are hosted on Github. Users want to get to these sites for legitimate reasons. IT people have also wanted to download Github projects. I don't have a problem with approving github-base, but we have no desire to approve SSH.
Any help or advice is appreciated.
TIA,
- Steve
12-16-2015 02:10 PM
Hi,
You don't need to allow SSH just to browse the website, but you will probably get a warning every time you commit some changes on the firewall (which you can ignore in your case). Even if you fork the repository, it will work as long as you use git with HTTPS and not SSH. The website seems to be hosted by Github, hence the github-base app for that traffic.
Regards,
Benjamin
12-15-2015 03:55 PM
So I could be wrong on this, however scp also uses port 22 and is identified by the PAN as SSH traffic. Not sure if github uses scp, however if it doesn then this could be the reason why. You could further lock down the policy for github to certain sites only?
Cheers!
12-16-2015 03:41 AM
unless Github provides a list of their public IPs and you limit your rule to them, then you will have to allow SSH globally unfortunatly.
Doesn't Github have a SSL/HTTP fallback method ?
12-16-2015 07:29 AM
Hi,
This webpage lists the current IP address range used, so you could restrict SSH to this range:
https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
Regards,
Benjamin
12-16-2015 07:53 AM
Hi all,
Thanks for the replies. This is one of the websites that our PAs are blocking:
Note that this page isn't on GitHub itself. The source code for the project is on GitHub. Looking at the page's source, I see two links to GitHub - the "Source" link at the top and the "send and issue or pull request" link at the bottom. Both of these links use the HTML tag
<i class="fa fa-github"></i>
My HTML is pretty rusty, because I thought that <i> was for italics.
So I'm back to the original question, why do we need ssh enabled to use this site? For that matter, should we need the github-base app-ID enabled at all?
Thanks,
- Steve
12-16-2015 02:10 PM
Hi,
You don't need to allow SSH just to browse the website, but you will probably get a warning every time you commit some changes on the firewall (which you can ignore in your case). Even if you fork the repository, it will work as long as you use git with HTTPS and not SSH. The website seems to be hosted by Github, hence the github-base app for that traffic.
Regards,
Benjamin
01-04-2016 12:33 PM
Hi Benjamin,
Thanks for the info; I wanted to wait until our primary firewall admin got back from vacation to discuss it with him. We agree that we could enable github-base without SSH and put up with the errors. However I disagree that the traffic application should be "github-base" in the first place since this is basically a straight HTTP site. We are going to open a ticket with PA tech support about that.
Thanks,
- Steve
09-18-2019 12:46 PM
https://live.paloaltonetworks.com/t5/MineMeld-Discussions/New-GitHub-Miner/td-p/229904
Haven't tried it yet but looks like a reasonable solution for restricting SSH to GitHub destinations.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
