Block SSH traffic coming from Putty with CONNECT request over port 443
search cancel

Block SSH traffic coming from Putty with CONNECT request over port 443


Article ID: 176397


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


Block SSH traffic coming from Putty with CONNECT request over port 443



  • Explicit Deployment
  • Detect Protocol enabled on Explicit HTTP listener


By default, the ProxySG will deny any non-SSL CONNECT request with the following exception seen in a policy trace.

EXCEPTION(connect_method_denied): CONNECT with a protocol other than SSL is not permitted

If a rule to ALLOW is matched in Policy, this will override the default decision, and the CONNECT request will be allowed. The ProxySG will see this traffic as tunneled and as HTTP.


There are a couple different ways to block the traffic:

Method 1 - Deny Tunneled Traffic

In order to block the traffic, CPL to block any tunneled traffic will need to be added so that it will be matched after the ALLOW rule that is being hit. In addition, this rule needs to be before any rule for traffic that is both being tunneled and should be allowed. In essence, policy will need to be created such that all non-tunneled traffic that is allowed is placed before the policy to block tunneled traffic, and all tunneled traffic that should be allowed is after the CPL to block.

The CPL rule to block would look something like this:

http.method=(CONNECT) tunneled=yes DENY

This will block any tunneled traffic. After this, any traffic that is tunneled will need to have an allow statement as well.

For example, below, the category News/Media, and the domain "" are not being tunneled, and are being allowed, and so the CPL to block is placed after that layer. As there is policy to tunnel, and, and the site is one that users will need to go to, the rule should be placed in a layer before those rules. In addition, if there is not already an ALLOW statement in the policy to tunnel, one is added.

url.category="News/Media" ALLOW
. . . ALLOW

http.method=(CONNECT) tunneled=yes DENY

<Proxy> detect_protocol(none) ALLOW detect_protocol(none) ALLOW


Method 2 - Force Protocol

The ProxySG can be made to enforce protocol for requests destined to a certain port. When this happens, if non-protocol traffic is seen (such as the SSH handshake over port 443 instead of the SSL handshake), then the ProxySG will reset the connection. The CPL to use in this case is:

url.port=443 force_protocol(ssl)

Do note that a policy trace will still show this traffic as allowed, as it allows the CONNECT request. Once the Putty agent continues by sending the SSH Protocol version, from a packet capture, you will see the ProxySG reset the connection