SSH Proxy Decryption Profile

The SSH Proxy Decryption profile blocks risky SSH sessions and blocks or restricts SSH tunneled traffic according to your Security policy.
The SSH Proxy Decryption profile (ObjectsDecryption ProfileSSH Proxy) controls the session mode checks and failure checks for SSH traffic defined in the SSH Proxy Decryption policies to which you attach the profile. The following figure shows the general best practice recommendations for SSH Proxy Decryption profile settings, but the settings you use also depend on your company’s security compliance rules and local laws and regulations.
The firewall doesn’t perform content and threat inspection on SSH tunnels (port forwarding). However, the firewall distinguishes between the SSH application and the SSH-tunnel application. If the firewall identifies SSH tunnels, it blocks the SSH tunneled traffic and restricts the traffic according to configured security policies.
ssh-proxy-best-practice-decryption-profile.png
Unsupported Mode Checks. The firewall supports SSHv2. If you don’t block sessions with unsupported modes, users receive a warning message if they connect with potentially unsafe servers, and they can click through that message and reach the potentially dangerous site. Blocking these sessions protects you from servers that use weak, risky protocol versions and algorithms:
  1. Block sessions with unsupported versions—The firewall has a set of predefined supported versions. Checking this box blocks traffic with weak versions. Always check this box to block sessions with the weak protocol versions to reduce the attack surface.
  2. Block sessions with unsupported algorithms—The firewall has a set of predefined supported algorithms. Checking this box blocks traffic with weak algorithms. Always check this box to block sessions with unsupported algorithms to reduce the attack surface.
Failure Checks:
  • Block sessions on SSH errors—Checking this box terminates the session if SSH errors occur.
  • Block sessions if resources not available—If you don’t block sessions when firewall processing resources aren’t available, then encrypted traffic that you want to decrypt enters the network still encrypted, risking allowing potentially dangerous connections. However, blocking sessions when firewall processing resources aren’t available may affect the user experience by making sites that users normally can reach temporarily unreachable. Whether to implement failure checks depends on your company’s security compliance stance and the importance to your business of the user experience, weighed against tighter security. Alternatively, consider using firewall models with more processing power so that you can decrypt more traffic.

Related Documentation