If you're using a NGFW (Managed by PAN-OS or Panorama), no other
requirements.
Configuring SSH Proxy does not require
certificates, and the key used to decrypt SSH sessions is automatically generated on
the Next-Generation Firewall (NGFW) during boot up. The NGFW blocks or restricts SSH traffic based on your decryption policy
rules and decryption profiles. Traffic is re-encrypted as it exits the NGFW.
Next-Generation Firewalls can’t decrypt and inspect traffic
within an SSH tunnel.
When you configure SSH Proxy, the proxied traffic does
not support DSCP code points or QoS.
Ensure that the appropriate interfaces are configured as either virtual wire,
Layer 2, or Layer 3 interfaces.
Decryption can only be performed on virtual wire, Layer 2, or Layer 3
interfaces. To view configured interfaces, select NetworkInterfacesEthernet
The Interface Type column displays if an interface is
configured as a Virtual Wire, Layer
2, or Layer 3 interface. You can
select an interface to modify its configuration, including its type.
Include a decryption profile with each decryption policy rule to prevent
weak, vulnerable protocols and algorithms from allowing questionable
traffic on your network.
After defining the match criteria for the rule, select
Options and configure the following settings:
For Action, select
Decrypt.
For Type, select SSH
Proxy.
(Optional but a best practice) Configure or select an
existing Decryption Profile to block and
control various aspects of the decrypted traffic (for example, you
can use a profile to terminate sessions with unsupported SSH
versions and unsupported algorithms).
