Network Security
Configure SSH Proxy
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Configure SSH Proxy
SSH Proxy decrypts inbound and outbound SSH sessions and ensures that attackers can’t
use SSH to tunnel malicious applications and content.
Where Can I Use This? | What Do I Need? |
---|---|
|
No requirements.
|
Configuring SSH Proxy does not require
certificates, and the key used to decrypt SSH sessions is automatically generated on
the Next-Generation Firewall (NGFW) during boot up. The NGFW blocks or restricts SSH traffic based on your decryption policy
rules and decryption profiles. Traffic is re-encrypted as it exits the NGFW.
Next-Generation Firewalls can’t decrypt and inspect traffic
within an SSH tunnel.
When you configure SSH Proxy, the proxied traffic does
not support DSCP code points or QoS.
- Ensure that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces.Decryption can only be performed on virtual wire, Layer 2, or Layer 3 interfaces. To view configured interfaces, select NetworkInterfacesEthernetThe Interface Type column displays if an interface is configured as a Virtual Wire, Layer 2, or Layer 3 interface. You can select an interface to modify its configuration, including its type.Create a decryption policy rule or modify an existing rule that decrypts SSH traffic.Include a decryption profile with each decryption policy rule to prevent weak, vulnerable protocols and algorithms from allowing questionable traffic on your network.After defining the match criteria for the rule, select Options and configure the following settings:
- For Action, select Decrypt.
- For Type, select SSH Proxy.
- (Optional but a best practice) Configure or select an existing Decryption Profile to block and control various aspects of the decrypted traffic (for example, you can use a profile to terminate sessions with unsupported SSH versions and unsupported algorithms).
- Click OK to save the rule.
(Optional) Block all SSH tunnel traffic.- Configure a Security policy rule for the ssh-tunnel application with the Action set to Deny.Configure a Security policy rule that allows traffic from the ssh application.Commit your changes.(Optional) Create decryption exclusions to disable decryption for certain types of traffic.