blocking SSH version 1 in smartdefense

[cciesec2006]

I have NGx R65 with HFA_02 running on Nokia and being managed by a
CMA inside Provider-1.

I set SmartDefense default_protection to "monitor" and not blocking
ssh version 1; however, I still see this:

Number: 3014
Date: 17Jan2008
Time: 12:18:08
Interface: eth1c0
Origin: dca-Nokia-1-P
Type: Alert
Action: Reject
Service: gssh (22)
Source Port: 49978
Source: 192.168.15.10
Destination: h_192.168.2.3 (192.168.2.3)
Protocol: tcp
Information: message_info: SSH version 1.x is not allowed
Product: VPN-1 Power/UTM
SmartDefense Profile: Default_Protection
Policy Info: Policy Name: Nokia
Created at: Thu Jan 17 11:17:44 2008
Installed from: test_CMA


basically, it blocks ssh version 1 on my network even though I have it
to either "in-active" or "monitor only". It still blocks ssh version 1.

How do I go about fixing this? Thanks.

[chillyjim]

Do you have any rules that restrict a connection to SSHv2 only?
I saw this once where there was a rule to allow inbound SSHv2 and a rule to allow SSHv1 to the Internet router and the v1 was getting dropped. Changing the SSHv2 rule to SSH and life was good.

I never followed up on it so I don't know how to fix it.

[cciesec2006]

Actually, in my ruleset, I have the following:

Source Destination Service Action
Any Any ssh-v2 Accept
ssh

both inbound and outbound ssh version 1 is blocked by SmartDefense
even though it is set to monitor

[rklopoto]

I dont know if you ever figured this out, but I had the same problem yesterday. I wanted to add to this message for future searchers.

If you look closely at the "ssh version 2" object, you'll notice that its description says "SSH2 protocol only, block SSH1". Even if you have ssh, in that group, this object will cause it to block. If you want ssh1 and ssh2, use the object "SSH".

Hope this helps and isn't too late.