Our Connections via WinSCP on our Firewall Do Not Identify URL, Only IP Address

Hello Martin and WinSCP Support,

I have what hopefully is a WinSCP configuration issue in some way, but it has required me to ask for SFTP firewall port openings by IP Address, and when a vendor changes IP Addresses, the access no longer works within my network until I ask for the new / updated IP Addresses to be allowed out.

I / we use WinSCP for our SFTP traffic in & out, and we use scripted automation that always uses the DNS FQDN name in all of our scripts. We build the WINSCP.COM script file and specific access information via your open statement (open sftp://<username> @<FQDN of SFTP site>:<Port> etc...).

However, my network support personnel tell and show me in their logs only show the IP Address, and the "URL" side is returning nothing, blank.

They show me many other network connections and most of them do have the URL in the log.

Please assist with recommendation.

Thanks, and Happy New Year!
- Joe P.

There are no URLs in SFTP protocol. You probably mean that you want to whitelist SFTP connections based on a hostname, rather than an IP address.

Though actually, there are no hostnames in SFTP protocol either. So this is not a WinSCP configuration issue (or WinSCP issue at all). That's simply how SFTP/SSH works.

See my answers to following questions, which partly covers the issue:

• SFTP subsystem needs to read the server hostname
  
• Do the SSH or FTP protocols tell the server to which domain I am trying to connect?
  

Thank you Martin,
Your response allowed us to ask the correct questions, and we addressed the issue.
Indeed the logs that weren't identifying the URL resolution were only on items via SSH / SFTP.
- Joe P.

Hello,

What you are seeing is most likely normal behavior and not necessarily a WinSCP configuration issue.

WinSCP resolves the FQDN to an IP address using DNS before establishing the SFTP connection. Once the connection is initiated, the firewall generally only sees and logs the destination IP address and port, not the original hostname/FQDN used in the script.

That is why your network team sees only the IP address in their firewall logs while your WinSCP script correctly uses the DNS name.

If the vendor changes their server IP address, the DNS record updates, but your firewall rules that are based on static IP allowlists will still need to be updated manually unless your firewall supports FQDN-based rules.

You may want to discuss the following options with your network/security team:

Configure firewall rules using FQDN objects instead of static IP addresses (if supported by the firewall platform)
Allow automatic DNS resolution refresh for approved SFTP destinations
Request vendors to provide stable/static IP ranges
Use a proxy or gateway solution that handles DNS dynamically

From the WinSCP side, using the FQDN in the open sftp://user@hostname:port command is already the correct and recommended approach.

Happy New Year!