The SSH Proxy Decryption profile blocks risky SSH sessions
and blocks or restricts SSH tunneled traffic according to your Security
The SSH Proxy Decryption profile (
controls the session mode checks and failure checks for SSH traffic
defined in the SSH Proxy Decryption policies to which you attach
the profile. The following figure shows the general best practice
recommendations for SSH Proxy Decryption profile settings, but the
settings you use also depend on your company’s security compliance
rules and local laws and regulations.
The firewall doesn’t perform content and threat inspection
on SSH tunnels (port forwarding). However, the firewall distinguishes
between the SSH application and the SSH-tunnel application. If the
firewall identifies SSH tunnels, it blocks the SSH tunneled traffic
and restricts the traffic according to configured security policies.
Unsupported Mode Checks. The firewall supports SSHv2. If you
don’t block sessions with unsupported modes, users receive a warning
message if they connect with potentially unsafe servers, and they
can click through that message and reach the potentially dangerous
site. Blocking these sessions protects you from servers that use
weak, risky protocol versions and algorithms:
Block sessions with unsupported versions
has a set of predefined supported versions. Checking this box blocks
traffic with weak versions. Always check this box to block sessions
with the weak protocol versions to reduce the attack surface.
Block sessions with unsupported algorithms
has a set of predefined supported algorithms. Checking this box
blocks traffic with weak algorithms. Always check this box to block
sessions with unsupported algorithms to reduce the attack surface.
Block sessions on SSH errors
—Checking this box
terminates the session if SSH errors occur.
Block sessions if resources not available
—If you don’t
block sessions when firewall processing resources aren’t available,
then encrypted traffic that you want to decrypt enters the network
still encrypted, risking allowing potentially dangerous connections.
However, blocking sessions when firewall processing resources aren’t
available may affect the user experience by making sites that users
normally can reach temporarily unreachable. Whether to implement
failure checks depends on your company’s security compliance stance
and the importance to your business of the user experience, weighed
against tighter security. Alternatively, consider using firewall
models with more processing power so that you can decrypt more traffic.