Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Port forwarding SSH services in sonicwall

LucasLucas Newbie ✭
edited October 2020 in Entry Level Firewalls

Dear support

I have setup the port forwarding sFTP services over SSH in SonicWall TZ400 device as per attached. The setup is following the sonicwall documentation for port forwarding ftp services to internal ftp server like filezilla and have tested working well for filezilla ftp server. But however this method does not work for SSH services although I see there is traffic flowing from WAN to LAN and vice versa from the packet monitor but however there is no traffic register in the sFTP server log and the client thus has "failed authentication" message.

And I have tested out the same setup using watchguard firewall and works perfectly to the same sFTP server. Meaning the client is able to login successfully and there are traffic registered in the sFTP sever event logs.

Appreciate your kind sharing of sFTP server setup over SSH as its not the same as FTP server. There must be some other settings required inorder for SSH services to work.



Category: Entry Level Firewalls
Reply

Best Answer

Answers

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @Lucas

    Try as same as the screenshot;


  • shiprasahu93shiprasahu93 Moderator
    edited October 2020

    Hello @Lucas,

    Do you have DPI SSH enabled on the firewall? Also, on the server itself are you seeing any logs that can tell what is the problem with authentication?

    Also, please make sure that SSH is not turned on for management on the WAN interface.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • LucasLucas Newbie ✭

    Hi Ajishlal / Shiprasahu

    Thanks for your reply, I have tried you suggestion as below and the problem still remain the same ie. Failed Authentication message at the client winscp over SSH service.

    1) Setting the translated source to "sFTP server (WAN)".

    2)  Maximum DPI Connections (DPI services enabled) is checked. There is no DPI SSH in the firewall setting.

    3) SSH MANAGEMENT is enabled by default for the LAN and WAN interface and not allow to disable.

    4) On the sFTP server itself, there is no event log registered. Normally it would shows logging activities like authentication and etc.

    5) There is traffic captured from the remote client winscp to the sonicwall wan interface and then from the wan to lan interface and vice versa. But somehow no logging activities shown in the event logs of the Cerberus sFTP server and thus "Failed Authentication" message at the client.

    6) Attached is the packet monitor captured for your perusal, and really baffle me as there are traffic flying thru but failed to registered in the server log. The same setup works perfectly for watchquard firewall to the same server.



  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @Lucas

    Try to change the translated source to X0 IP.


  • LucasLucas Newbie ✭

    Hi AJISHLAL 

    I have now tried with X0 IP and also X1 IP at translated source and the result is still the same - Failed Authentication. It has to be something else that prevent he authentication packet from reaching the server as there is no recorded logs at all. Very strange and there is no drop packets for the related traffics as well.


    rgds

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    hi @Lucas

    if you are suspecting the authentication packet preventing by Firewall, Please try to disable the DPI in WAN to LAN access rule.


  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @Lucas

    Moreover try to exclude the server from CFS policy.

  • LucasLucas Newbie ✭

    Hi Ahishlal

    Thanks for your suggestion and same error appears at the client winscp. I have now escalated the issue to support for their further troubleshooting and investigation.


    Sakshi


    I have already tried all the relevant setup and troubleshooting as suggested by the sonicwall community group and the result is still the same i.e. failed authentication message as per attached even by different sFTP server providers like Cerberus and SolarWind. I have also tested the same sFTP server setting going thru the watchguard firewall and works perfectly well where client winscp is able to login successfully. And I also follow the same setup as per the documentation for port forwarding for filezilla and works well for filezilla ftp server only. Its very obvious that sFTP server over SSH failed to work behind sonicwall firewall. I request your side to test and setup the same using cerberus ftp server and winscp client to access over SSH in sonicwall TZ400 firmware version 6.5 and share your findings. It would be good also for your documentation for SSH services setup behind the firewall device.


    Lucas Lee Shui Kee

    Kintetsu World Express (Malaysia) Sdn Bhd

    Corporate Information Technology Department

    Project Manager

    Office No : 603-78062466 Mobile No : 6019-7319218

  • DarshilDarshil Newbie ✭
    edited December 2020

    Hi @Lucas

    Did you get the solution on it from support..??

    Because same kind of issue i am facing at customer site. Tried everything but file will not get transferred through winscp but when we check same setting going through cyberoam firewall it works fine.

  • LucasLucas Newbie ✭

    Hi @Darshil

    Yes I finally managed to get it to work just by setting the priority of the custom SSH policy to the topmost priority level. Reason being is that SonicWall implement default SSH Management over port 22 to manage the remote login into the device. Alternatively you may want to change the custom SSH port to eg. 2022 and it would work out fine without changing the priority level.


    rgds

  • WCRORLANDOWCRORLANDO Newbie ✭

    This was helpful for me also, thank you

Sign In or Register to comment.