Network Security
Configure SSH Proxy
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Configure SSH Proxy
SSH Proxy decrypts inbound and outbound SSH sessions and ensures that attackers can’t
use SSH to tunnel malicious applications and content.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Depending on the products you're using, you need at least one
of...
If you're using a NGFW (Managed by PAN-OS or Panorama), no other
requirements.
|
Configuring SSH Proxy does not require
certificates, and the key used to decrypt SSH sessions is automatically generated on
the Next-Generation Firewall (NGFW) during boot up. The NGFW blocks or restricts SSH traffic based on your decryption policy
rules and decryption profiles. Traffic is re-encrypted as it exits the NGFW.
Next-Generation Firewalls can’t decrypt and inspect traffic
within an SSH tunnel.
When you configure SSH Proxy, the proxied traffic does
not support DSCP code points or QoS.
- Ensure that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces.Decryption can only be performed on virtual wire, Layer 2, or Layer 3 interfaces. To view configured interfaces, select NetworkInterfacesEthernetThe Interface Type column displays if an interface is configured as a Virtual Wire, Layer 2, or Layer 3 interface. You can select an interface to modify its configuration, including its type.
- Create a decryption policy rule or modify an existing rule that decrypts SSH traffic.Include a decryption profile with each decryption policy rule to prevent weak, vulnerable protocols and algorithms from allowing questionable traffic on your network.After defining the match criteria for the rule, select Options and configure the following settings:
- For Action, select Decrypt.
- For Type, select SSH Proxy.
- (Optional but a best practice) Configure or select an existing Decryption Profile to block and control various aspects of the decrypted traffic (for example, you can use a profile to terminate sessions with unsupported SSH versions and unsupported algorithms).
- Click OK to save the rule.
- Commit your changes.
- (Optional) Create decryption exclusions to disable decryption for certain types of traffic.