Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 29 subscribers
  • Views 1759 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SilverShield SFTP behind XG

ciwan

Hi Guys

I have a program called SilverShield which is SFTP program behind UTM and realized that it has DNAT set up on UTM. I am trying to set up DNAT on XG which has more options and tried a few it does not work. By looking at below screenshot, is there a way of saying or showing me how i could mock this DNAT rule on XG?

Change the destination to: It's the Server where i have the Silvershield sftp program installed. When I try I get winSCP saying that Access Denied. I've checked Azure all the SecurityGroups are allowing Port 22. I can SSH the XG no problem, but to this program I can not.. I think i need to set up DNAT in order to access to the server and the program?

Thanks in advance.

Regards



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to ciwan

    It highly depends on your scenario, but It's never recommended to open up SSH to the Internet, on almost all scenarios your better off setting up a VPN such as SSLVPN at the firewall so you have a secure way to SSH to the server.

    But of course, If the SilverShield SFTP Server supports public key authentication, and have login rate limit set up; Or you have a lot of users who wouldn't be able to use a VPN, then It's "fine" to open up to the internet.

    If you still want to setup a DNAT to the server, you can check out this Recommended Read for XG v18. After setting up the NAT Rule you will need to create a Firewall Rule to allow the traffic.

    One tip to reduce the amount of brute force attacks (If doing a DNAT) is - If possible use a GeoIP policy.

    Example: If your from UK, and all users that will access the SFTP server is from the UK, then within the Firewall Policy you should only allow UK IPs.

    Thanks!

  • 0 in reply to Prism

    Thanks. The Key is: reduce the attack surface. 

  • 0 in reply to Prism

    Thanks prism. By looking at the UTM dnat, how can I make a same one. We have alot of clients are using the sftp and they are in a few EU, USA, Canada and even in Asia. So want to get It working first then tidy up with proper rules etc.

    Regards

  • 0 in reply to ciwan

    First of all, are you on v17.5 or v18?

    If you're on v18 I can send you some screenshots on how to do this.

    Also, take a look at this recommended read for v18 first. At the WAN-TO-DMZ Traffic section.

  • 0 in reply to Prism

    Hi Prism

    The version on FW is SFOS 18.0.3 MR-3. All I want is to basically, when my client uses the subdomain i set up sftp01.mydomain.com it goes to the Webserver which has silvershield set up and with username and password set up in silvershield to work.

    The current setup on UTM works as it is. I just want to set up same here in XG. 

  • 0 in reply to ciwan

    is it possible to do it? atm if i am connected to VPN and use private ip of the server to ssh it works. But what I want basically is that, without VPN when I use the domain sftp01.mydomain.com (which has A record to Firewall's IP) it should go to the Webserver where silverShield is installed.

    How to achieve this with a Firewall Rule?

    Thanks

  • 0 in reply to ciwan

    Hello

    Any update, suggestion? is it doable? 

  • 0 in reply to ciwan

    Again, look at this recommended read on how to create a NAT & Firewall Rule at the WAN-To-DMZ Section, It will show you with images on how to do this.

    https://community.sophos.com/xg-firewall/f/recommended-reads/121919/how-to-configure-firewall-rule-and-nat-rule-on-sophos-xg-v18

    Here's a example for you:

    This is the NAT Rule, On:

    • Original Source: Leave as Any.
    • Translated Source (SNAT): Leave as Original.
    • Original Destination: This is your WAN Port, in my case is the #Port2.
    • Translated Destination (DNAT): Here is where the connection will be sent, in my case I've created a Server Host with the desired IP.
    • Original Service: In your case you will put SSH.
    • Translated Service (PAT): Since we're not doing PAT, you can leave as Original.

    If you want to, you can also select at Inbound Interface your WAN Interface.

    Then you will need to create a Firewall Rule, to allow the traffic, on:

    • Source Zone: This will be WAN.
    • Source Networks and Devices: Since you're not limiting the connection to a certain country or network, you can leave as Any.
    • Destination Zone: In my case is LAN, but if your server is in a different Zone, then you can select in there.
    • Destination Networks: This will be your WAN Port, in my case is #Port2.
    • Services: Is the Service (Port) that you will want to allow for NAT, which in your case is SSH.

    Below on this rule you can also apply IPS, AV Scan, FTP Scan, or AppCtrl if necessary.

  • 0 in reply to Prism

    Hi Prism

    I've done that but the issue is that I still can't access to it via hostname and it doesn't work without XG VPN.

    I wonder if it's anything to do with route-table in Azure or can i put any type of rule to say that if user tries to connect with sftp01.mydomain.com port: 22 (using winscp) then forward it to sftp server?

    Thanks

  • 0 in reply to ciwan

    any thoughts on that? I've tried a few things, created a new route table and added my own IP only and it works fine with host name. But when i put the subnet behind the firewall route table, it aint working without VPN is on and with server's Private IP. Any suggestions where to look-how to solve this?