I keep seeing conflicting information regarding Zscaler’s ability to support SFTP traffic. As of now, we are using Tunnel 2.0 with the app profile. No GRE or IPSec tunnels are in use.
The OOTB pac file for tunnel 2.0 we were instructed to use has logic to bypass any “sftp://” traffic. If we were to remove this and allow traffic to come to Zscaler, can we use the Cloud Firewall to allow SFTP traffic by exception?
So can you do SSH / SCP / FTP /SFTP / ----- exceptions for Tunnel 2.0 ---- yes its actually quite easy – they question here would be how is the client or server initiating the SFTP or transfers ------ is that application proxy aware, can it pass authentication — and if so does that same user have access to both Zscaler the external vendor to complete the transfer -----
With these questions answered you can totally write and control this access via ZCC and Tunnel 2.0 ---- I use an AD security group ------ that is descriptive to the use ------- this one is AllowFTPviaBrowser — and the firewall rule is that AD group ----- to a strict list of service tcp destination ports ---- to a strict list of Destination URLs ----- just as an example
and it works fine -
There are a variety of FTP clients in use within the environment, so I’m not sure if they are all proxy aware. We are currently using FW rules to allow FTPS via an AD group but never did anything for SFTP because we were told Zscaler didn’t support it…
Kind of annoying now that I think about it because if we were to remove the sftp:// bypass from the pac file, we’d have problems. I’m thinking we’ll need to create an allow-all rule in order to first identify the traffic, then build the rules and AD groups around the identified SFTP traffic.
So you can also set up the same rule on the SSL interception layer rules – and if you can build out your destinations - you can say here do not inspect X URL - IP destinations - with your allow rule in the Firewall you can slowly break off and write specific rules per occurrence
Since SFTP is actually file transfers over SSH, we do not have an easy way to distinguish that in a DPI-based system like cloud firewall. You can use network application=SSH in a cloud firewall rule but that includes all SSH traffic not just SFTP. This is probably why you heard that Zscaler doesn’t support SFTP. But this is true for all other DPI-based vendor systems as well. You could build a “wider” SSH based firewall rule and then build additional rules with other criteria like AD groups like you mentioned.
Thank you very much for the confirmation!