End-of-Life (EoL)

Settings to Control Decrypted SSH Traffic

The following table describes the settings you can use to control decrypted inbound and outbound SSH traffic. These settings allow you to limit or block SSH tunneled traffic based on criteria including the use of unsupported algorithms, the detection of SSH errors, or the availability of resources to process SSH Proxy decryption.
SSH Proxy Tab Settings
Unsupported Mode Checks
—Use these options to control sessions if unsupported modes are detected in SSH traffic. Supported SSH version is SSH version 2.
Block sessions with unsupported versions
Terminate sessions if the “client hello” message is not supported by PAN-OS.
Block sessions with unsupported algorithms
Terminate sessions if the algorithm specified by the client or server is not supported by PAN-OS.
Failure Checks
—Select actions to take if SSH application errors occur and if system resources are not available.
Block sessions on SSH errors
Terminate sessions if SSH errors occur.
Block sessions if resources not available
Terminate sessions if system resources are not available to process decryption.

Recommended For You