SilverShield SFTP behind XG

Are really going to NAT SSH to a Server? From ANY? I would highly recommend to not do that. 

What' the best practice? What do you suggest? I want to make it right :) Thanks

It highly depends on your scenario, but It's never recommended to open up SSH to the Internet, on almost all scenarios your better off setting up a VPN such as SSLVPN at the firewall so you have a secure way to SSH to the server.

But of course, If the SilverShield SFTP Server supports public key authentication, and have login rate limit set up; Or you have a lot of users who wouldn't be able to use a VPN, then It's "fine" to open up to the internet.

If you still want to setup a DNAT to the server, you can check out this Recommended Read for XG v18. After setting up the NAT Rule you will need to create a Firewall Rule to allow the traffic.

One tip to reduce the amount of brute force attacks (If doing a DNAT) is - If possible use a GeoIP policy.

Example: If your from UK, and all users that will access the SFTP server is from the UK, then within the Firewall Policy you should only allow UK IPs.

Thanks!

Thanks. The Key is: reduce the attack surface. 

Thanks prism. By looking at the UTM dnat, how can I make a same one. We have alot of clients are using the sftp and they are in a few EU, USA, Canada and even in Asia. So want to get It working first then tidy up with proper rules etc.

Regards

First of all, are you on v17.5 or v18?

If you're on v18 I can send you some screenshots on how to do this.

Also, take a look at this recommended read for v18 first. At the WAN-TO-DMZ Traffic section.

First of all, are you on v17.5 or v18?

If you're on v18 I can send you some screenshots on how to do this.

Also, take a look at this recommended read for v18 first. At the WAN-TO-DMZ Traffic section.

Hi Prism

The version on FW is SFOS 18.0.3 MR-3. All I want is to basically, when my client uses the subdomain i set up sftp01.mydomain.com it goes to the Webserver which has silvershield set up and with username and password set up in silvershield to work.

The current setup on UTM works as it is. I just want to set up same here in XG. 

is it possible to do it? atm if i am connected to VPN and use private ip of the server to ssh it works. But what I want basically is that, without VPN when I use the domain sftp01.mydomain.com (which has A record to Firewall's IP) it should go to the Webserver where silverShield is installed.

How to achieve this with a Firewall Rule?

Thanks

Hello

Any update, suggestion? is it doable? 

Again, look at this recommended read on how to create a NAT & Firewall Rule at the WAN-To-DMZ Section, It will show you with images on how to do this.

https://community.sophos.com/xg-firewall/f/recommended-reads/121919/how-to-configure-firewall-rule-and-nat-rule-on-sophos-xg-v18

Here's a example for you:

This is the NAT Rule, On:

• Original Source: Leave as Any.
• Translated Source (SNAT): Leave as Original.
• Original Destination: This is your WAN Port, in my case is the #Port2.
• Translated Destination (DNAT): Here is where the connection will be sent, in my case I've created a Server Host with the desired IP.
• Original Service: In your case you will put SSH.
• Translated Service (PAT): Since we're not doing PAT, you can leave as Original.

If you want to, you can also select at Inbound Interface your WAN Interface.

Then you will need to create a Firewall Rule, to allow the traffic, on:

• Source Zone: This will be WAN.
• Source Networks and Devices: Since you're not limiting the connection to a certain country or network, you can leave as Any.
• Destination Zone: In my case is LAN, but if your server is in a different Zone, then you can select in there.
• Destination Networks: This will be your WAN Port, in my case is #Port2.
• Services: Is the Service (Port) that you will want to allow for NAT, which in your case is SSH.

Below on this rule you can also apply IPS, AV Scan, FTP Scan, or AppCtrl if necessary.

Hi Prism

I've done that but the issue is that I still can't access to it via hostname and it doesn't work without XG VPN.

I wonder if it's anything to do with route-table in Azure or can i put any type of rule to say that if user tries to connect with sftp01.mydomain.com port: 22 (using winscp) then forward it to sftp server?

Thanks

any thoughts on that? I've tried a few things, created a new route table and added my own IP only and it works fine with host name. But when i put the subnet behind the firewall route table, it aint working without VPN is on and with server's Private IP. Any suggestions where to look-how to solve this?

from the log...

Do you want to DNAT TCP/21 which is FTP or TCP/22 which is SSH ?

On the discussion above you wanted to DNAT SSH which is Port 22, but on your Log image It's showing Port 21 as the destination.

Since there's no DNAT Firewall or NAT Rule, the traffic to TCP/21 is being blocked. So, can you please confirm on what's the port you need to allow access, if It is Port 21 or Port 22 ?

Thanks!

Port 22 that I need. When I add that Firewall Rule (above with screenshot you shared) WinSCP can't connect to the server at all. So i disable that NAT rule and i can see logs from FW.

But it's showing Port 21 for a strange reason but in WinSCP it's port 22

also since this is from Azure, there are two ports.

Port A and Port B

in the Azure Route table

Next hop Address is the FW's Port A

Port B: 10.10.254.4

Port A: 10.10.1.4

I dont understand why Port B goes to port:21.. this is strange.

FW as follows

prod-SFTP is the server where it has silvershield installed. (this server works fine when i remove it from the routetable of azure)

Any ideas?

But then again, the notification shows me that I am trying to SSH..