Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 29 subscribers
  • Views 1759 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SilverShield SFTP behind XG

ciwan

Hi Guys

I have a program called SilverShield which is SFTP program behind UTM and realized that it has DNAT set up on UTM. I am trying to set up DNAT on XG which has more options and tried a few it does not work. By looking at below screenshot, is there a way of saying or showing me how i could mock this DNAT rule on XG?

Change the destination to: It's the Server where i have the Silvershield sftp program installed. When I try I get winSCP saying that Access Denied. I've checked Azure all the SecurityGroups are allowing Port 22. I can SSH the XG no problem, but to this program I can not.. I think i need to set up DNAT in order to access to the server and the program?

Thanks in advance.

Regards



This thread was automatically locked due to age.
Parents
  • 0

    Are really going to NAT SSH to a Server? From ANY? I would highly recommend to not do that. 

  • 0 in reply to LuCar Toni

    What' the best practice? What do you suggest? I want to make it right :) Thanks

  • 0 in reply to ciwan

    It highly depends on your scenario, but It's never recommended to open up SSH to the Internet, on almost all scenarios your better off setting up a VPN such as SSLVPN at the firewall so you have a secure way to SSH to the server.

    But of course, If the SilverShield SFTP Server supports public key authentication, and have login rate limit set up; Or you have a lot of users who wouldn't be able to use a VPN, then It's "fine" to open up to the internet.

    If you still want to setup a DNAT to the server, you can check out this Recommended Read for XG v18. After setting up the NAT Rule you will need to create a Firewall Rule to allow the traffic.

    One tip to reduce the amount of brute force attacks (If doing a DNAT) is - If possible use a GeoIP policy.

    Example: If your from UK, and all users that will access the SFTP server is from the UK, then within the Firewall Policy you should only allow UK IPs.

    Thanks!

  • 0 in reply to Prism

    Thanks. The Key is: reduce the attack surface. 

Reply Children
No Data