Configure SSH Proxy (PAN-OS)

1. Ensure that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces.

   Decryption can only be performed on virtual wire, Layer 2, or Layer 3 interfaces. To view configured interfaces, select NetworkInterfacesEthernet

   The Interface Type column displays if an interface is configured as a Virtual Wire, Layer 2, or Layer 3 interface. You can select an interface to modify its configuration, including its type.
2. Create a decryption policy rule or modify an existing rule that decrypts SSH traffic.

   Include a decryption profile with each decryption policy rule to prevent weak, vulnerable protocols and algorithms from allowing questionable traffic on your network.

   After defining the match criteria for the rule, select Options and configure the following settings:

   1. For Action, select Decrypt.
   2. For Type, select SSH Proxy.
   3. (Optional but a best practice) Configure or select an existing Decryption Profile to block and control various aspects of the decrypted traffic (for example, you can use a profile to terminate sessions with unsupported SSH versions and unsupported algorithms).
   4. Click OK to save the rule.
3. (Optional) Block all SSH tunnel traffic.

   1. Configure a Security policy rule for the ssh-tunnel application with the Action set to Deny.
   2. Configure a Security policy rule that allows traffic from the ssh application.
4. Commit your changes.
5. (Optional) Create decryption exclusions to disable decryption for certain types of traffic.