Want to allow SFTP only and not SSH Traffic

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Want to allow SFTP only and not SSH Traffic

L3 Networker

Hi Team,


I am trying to achieve my requirement however, unable to achieve it. Please review my requirement below and suggest your thoughts if there are any possible way to accomplish.


I want to block SSH traffic and at the same time i need to allow SFTP traffic for our users. I have referred to some KB Article and that states in order to allow the SFTP traffic we need to allow SSH application. So if in this case Normal SSH Traffic also will get allowed. So please share your thoughts for the same.





Also i can see that, there is a feature request for creating a separate App ID for SFTP (Link Mentioned below). Can i know the status on that as well.




Awaiting for your response !!


Best Regards,

Sahul Hameed


Community Team Member

Hi @SahulH ,


Yes there is indeed an open feature request for this (to differentiate SFTP from SSH in APP-ID). 


Please reach out to your local SE and have him add your vote to the FR:

FR ID: 2555




LIVEcommunity team member, CISSP
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi ,


Thanks for your response on my query, Also i want to know is there of any way to accomplish the necessary requirement in our Current scenario without having a separate App ID for SFTP. To block SSH and allow only SFTP traffic. Do let us know on this as well.


Thanks in advance !!


Best Regards,

Sahul Hameed



Since SFTP is just FTP over SSH, it implicitly is just SSH. So without deeper inspection of the packets by the AppID enigne there is no way to a SSH terminal over SFTP. 




How about a whitelist that allows your users to only sites that are approved?


Just a thought.

Agreed!  SFTP is just an FTP feature traversing over SSH.  They are essentially the same protocol.  You would have to have some crazy man-in-the-middle encrypt/decrypt to even attempt this.  This sounds a lot like security engineer over-reach or misunderstanding of protocols.

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!