SSH Proxy decryption requires no certificates and decrypts
inbound and outbound SSH sessions and ensures that attackers can’t use
SSH to tunnel potentially malicious applications and content.
Proxy does not require certificates and the key used to decrypt
SSH sessions is generated automatically on the firewall during boot
up. With SSH decryption enabled, the firewall decrypts SSH traffic
and blocks and or restricts the SSH traffic based on your decryption
policy and decryption profile settings. Traffic is re-encrypted
as it exits the firewall.
When you configure SSH Proxy,
the proxied traffic does not support DSCP code points or QoS.
Ensure that the appropriate interfaces are configured
as either virtual wire, Layer 2, or Layer 3 interfaces. Decryption
can only be performed on virtual wire, Layer 2, or Layer
View configured interfaces on the
column displays if an
interface is configured to be a
can select an interface to modify its configuration, including what
type of interface it is.
Although Decryption profiles are
optional, it is a best practice to include a Decryption profile
with each Decryption policy rule to prevent weak, vulnerable protocols
and algorithms from allowing questionable traffic on your network.
, Add or modify an
existing rule, and define traffic to be decrypted.
Set the rule
Set the rule
Optional but a best practice
) Configure or select
to block and control
various aspects of the decrypted traffic (for example, create a
Decryption profile to terminate sessions with unsupported versions
and unsupported algorithms).