Settings to Control Decrypted SSH Traffic
The following table describes the settings you can use to control decrypted inbound and outbound SSH traffic. These settings allow you to limit or block SSH tunneled traffic based on criteria including the use of unsupported algorithms, the detection of SSH errors, or the availability of resources to process SSH Proxy decryption.
SSH Proxy Tab Settings
Unsupported Mode Checks—Use these options to control sessions if unsupported modes are detected in SSH traffic. Supported SSH version is SSH version 2.
Block sessions with unsupported versions
Terminate sessions if the “client hello” message is not supported by PAN-OS.
Always block sessions with unsupported versions to prevent access to sites with weak protocols. On the SSL Protocol Settings tab, set the minimum Protocol Version to TLSv1.2 to block sites with weak protocol versions. If a site you need to access for business purposes uses a weaker protocol, create a separate Decryption profile that allows the weaker protocol and specify it in a Decryption policy rule that applies only to the sites for which you must allow the weaker protocol.
Block sessions with unsupported algorithms
Terminate sessions if the algorithm specified by the client or server is not supported by PAN-OS.
Always block sessions with unsupported algorithms to prevent access to sites that use weak algorithms.
Failure Checks—Select actions to take if SSH application errors occur and if system resources are not available.
Block sessions on SSH errors
Terminate sessions if SSH errors occur.
Block sessions if resources not available
Terminate sessions if system resources are not available to process decryption.
Whether to block sessions when resources aren’t available is a tradeoff between tighter security and a better user experience. If you don’t block sessions when resources aren’t available, the firewall won’t be able to decrypt traffic that you want to decrypt when resources are impacted. However, blocking sessions when resources aren’t available may affect the user experience because sites that are normally reachable may become temporarily unreachable.
Settings to Control Decrypted SSL Traffic
Settings to Control Decrypted SSL Traffic The following table describes the settings you can use to control SSL traffic that has been decrypted using either ...
SSH Proxy Decryption Profile
The SSH Proxy Decryption profile blocks risky SSH sessions and blocks or restricts SSH tunneled traffic according to your Security policy. ...
Create the Data Center Best Practice Decryption Profiles
Decryption Profiles define the SSL Protocol settings the firewall accepts so you can protect against vulnerable, weak protocols and algorithms. ...
SSL Inbound Inspection Decryption Profile
The SSL Inbound Inspection Decryption profile blocks risky inbound sessions and provides session failure checks. ...
Create a Decryption Profile
Attach Decryption profiles to Decryption policy rules to control the protocol versions, algorithms, verification checks, and session checks the firewall accepts for the traffic defined ...
SSL Forward Proxy Decryption Profile
The SSL Forward Proxy Decryption profile blocks risky outbound sessions, verifies certificates, and provides session failure checks. ...
Deploy SSL Decryption Using Best Practices
Following SSL Decryption deployment best practices help to ensure a smooth, prioritized rollout and that you decrypt the traffic you need to decrypt to safeguard ...
Configure SSH Proxy
SSH Proxy decryption requires no certificates and decrypts inbound and outbound SSH sessions and ensures that attackers can’t use SSH to tunnel potentially malicious applications ...
Decryption Overview The Secure Sockets Layer (SSL) and Secure Shell (SSH) encryption protocols secure traffic between two entities, such as a web server and a ...