Configure SSH Proxy
SSH Proxy decryption requires no certificates and decrypts inbound and outbound SSH sessions and ensures that attackers can’t use SSH to tunnel potentially malicious applications and content.
Configuring SSH Proxy does not require certificates and the key used to decrypt SSH sessions is generated automatically on the firewall during boot up. With SSH decryption enabled, the firewall decrypts SSH traffic and blocks and or restricts the SSH traffic based on your decryption policy and decryption profile settings. Traffic is re-encrypted as it exits the firewall.
- Ensure that the appropriate interfaces are configured
as either virtual wire, Layer 2, or Layer 3 interfaces. Decryption
can only be performed on virtual wire, Layer 2, or Layer
3 interfaces.View configured interfaces on the NetworkInterfacesEthernet tab. The Interface Type column displays if an interface is configured to be a Virtual Wire or Layer 2, or Layer 3 interface. You can select an interface to modify its configuration, including what type of interface it is.
a Decryption Policy Rule to define traffic for the firewall
to decrypt and Create
a Decryption Profile to apply checks to the SSH traffic.Although Decryption profiles are optional, it is a best practice to include a Decryption profile with each Decryption policy rule to prevent weak, vulnerable protocols and algorithms from allowing questionable traffic on your network.
- Select PoliciesDecryption, Add or modify an existing rule, and define traffic to be decrypted.
- Select Options and:
- Set the rule Action to Decrypt matching traffic.
- Set the rule Type to SSH Proxy.
- (Optional but a best practice) Configure or select an existing Decryption Profile to block and control various aspects of the decrypted traffic (for example, create a Decryption profile to terminate sessions with unsupported versions and unsupported algorithms).
- Click OK to save.
- Commit the configuration.
- (Optional) Continue to Decryption Exclusions to disable decryption for certain types of traffic.
Learn about outbound and inbound SSL decryption, SSH Proxy decryption, Decryption Mirroring, and the keys and certificates that make decryption possible. ...
Decryption Overview The Secure Sockets Layer (SSL) and Secure Shell (SSH) encryption protocols secure traffic between two entities, such as a web server and a ...
Create a Decryption Policy Rule
Decryption policy rules granularly define the traffic to decrypt or not to decrypt based on the source, destination, service (application port), and URL Category. ...
Create a Decryption Profile
Attach Decryption profiles to Decryption policy rules to control the protocol versions, algorithms, verification checks, and session checks the firewall accepts for the traffic defined ...
You can’t protect yourself against threats you can’t see. Decrypt traffic to reveal encrypted threats so the firewall can protect your network against them. ...
SSH Proxy decryption decrypts inbound and outbound SSH sessions and ensures that attackers can’t use SSH to tunnel potentially malicious applications and content. ...
Decryption Options Tab
Decryption Options Tab Select the Options tab to determine if the matched traffic should be decrypted or not. If Decrypt is set, specify the decryption ...
Configure SSL Inbound Inspection
SSL Inbound Inspection decryption enables the firewall to see potential threats in inbound encrypted traffic destined for your servers and apply security protections against those ...
Deploy SSL Decryption Using Best Practices
Following SSL Decryption deployment best practices help to ensure a smooth, prioritized rollout and that you decrypt the traffic you need to decrypt to safeguard ...