>
    Strata Copilot
    Configure SSH Proxy
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    4. Enable Decryption
    5. Configure SSH Proxy
    Download PDF
    Network Security

    Configure SSH Proxy

    Table of Contents

    Configure SSH Proxy

    SSH Proxy decrypts inbound and outbound SSH sessions and ensures that attackers can’t use SSH to tunnel malicious applications and content.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by PAN-OS or Panorama)
    No requirements.
    Configuring SSH Proxy does not require certificates, and the key used to decrypt SSH sessions is automatically generated on the Next-Generation Firewall (NGFW) during boot up. The NGFW blocks or restricts SSH traffic based on your decryption policy rules and decryption profiles. Traffic is re-encrypted as it exits the NGFW.
    Next-Generation Firewalls can’t decrypt and inspect traffic within an SSH tunnel.
    When you configure SSH Proxy, the proxied traffic does not support DSCP code points or QoS.
    1. Ensure that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces.
      Decryption can only be performed on virtual wire, Layer 2, or Layer 3 interfaces. To view configured interfaces, select NetworkInterfacesEthernet
      The Interface Type column displays if an interface is configured as a Virtual Wire, Layer 2, or Layer 3 interface. You can select an interface to modify its configuration, including its type.
    2. Create a decryption policy rule or modify an existing rule that decrypts SSH traffic.
      Include a decryption profile with each decryption policy rule to prevent weak, vulnerable protocols and algorithms from allowing questionable traffic on your network.
      After defining the match criteria for the rule, select Options and configure the following settings:
      1. For Action, select Decrypt.
      2. For Type, select SSH Proxy.
      3. (Optional but a best practice) Configure or select an existing Decryption Profile to block and control various aspects of the decrypted traffic (for example, you can use a profile to terminate sessions with unsupported SSH versions and unsupported algorithms).
      4. Click OK to save the rule.
    3. (Optional) Block all SSH tunnel traffic.
      1. Configure a Security policy rule for the ssh-tunnel application with the Action set to Deny.
      2. Configure a Security policy rule that allows traffic from the ssh application.
    4. Commit your changes.
    5. (Optional) Create decryption exclusions to disable decryption for certain types of traffic.

    © 2026 Palo Alto Networks, Inc. All rights reserved.