Configuring SSH Proxy does not require certificates and the key used to decrypt SSH sessions is generated automatically on the firewall during boot up.
With SSH decryption enabled, all SSH traffic identified by the policy is decrypted and identified as either regular SSH traffic or as SSH tunneled traffic. SSH tunneled traffic is blocked and restricted according to the profiles configured on the firewall. Traffic is re-encrypted as it exits the firewall.
Configure SSH Proxy Decryption
Ensure that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces. Decryption can only be performed on virtual wire, Layer 2, or Layer 3 interfaces. View configured interfaces on the Network > Interfaces > Ethernet tab. The Interface Type column displays if an interface is configured to be a Virtual Wire or Layer 2, or Layer 3 interface. You can select an interface to modify its configuration, including what type of interface it is.
Create a Decryption Policy Rule to define traffic for the firewall to decrypt. Select Policies > Decryption, Add or modify an existing rule, and define traffic to be decrypted. Select Options and: Set the rule Action to Decrypt matching traffic. Set the rule Type to SSH Proxy. (Optional) Select a Decryption Profile to block and control various aspects of the decrypted traffic (for example, Create a Decryption Profile to terminate sessions if system resources are not available to process decryption). Click OK to save.
Commit the configuration.
(Optional) Continue to Configure Decryption Exceptions to disable decryption for certain types of traffic.

Related Documentation