The SSH Proxy Decryption profile blocks risky SSH sessions
and blocks or restricts SSH tunneled traffic according to your Security policy.
The SSH Proxy Decryption profile (ObjectsDecryption ProfileSSH Proxy)
controls the session mode checks and failure checks for SSH traffic
defined in the SSH Proxy Decryption policies to which you attach
the profile. The following figure shows the general best practice
recommendations for SSH Proxy Decryption profile settings, but the
settings you use also depend on your company’s security compliance
rules and local laws and regulations.
The firewall doesn’t perform content and threat inspection
on SSH tunnels (port forwarding). However, the firewall distinguishes between
the SSH application and the SSH-tunnel application. If the firewall
identifies SSH tunnels, it blocks the SSH tunneled traffic and restricts
the traffic according to configured security policies.
Unsupported Mode Checks. The firewall supports SSHv2. If you
don’t block sessions with unsupported modes, users receive a warning
message if they connect with potentially unsafe servers, and they
can click through that message and reach the potentially dangerous
site. Blocking these sessions protects you from servers that use
weak, risky protocol versions and algorithms:
Block sessions with unsupported versions—The firewall
has a set of predefined supported versions. Checking this box blocks
traffic with weak versions. Always check this box to block sessions
with the weak protocol versions to reduce the attack surface.
Block sessions with unsupported algorithms—The firewall
has a set of predefined supported algorithms. Checking this box
blocks traffic with weak algorithms. Always check this box to block
sessions with unsupported algorithms to reduce the attack surface.
Failure Checks:
Block sessions on SSH errors—Checking this box
terminates the session if SSH errors occur.
Block sessions if resources not available—If you don’t
block sessions when firewall processing resources aren’t available, then
encrypted traffic that you want to decrypt enters the network still
encrypted, risking allowing potentially dangerous connections. However, blocking
sessions when firewall processing resources aren’t available may
affect the user experience by making sites that users normally can
reach temporarily unreachable. Whether to implement failure checks
depends on your company’s security compliance stance and the importance
to your business of the user experience, weighed against tighter
security. Alternatively, consider using firewall models with more
processing power so that you can decrypt more traffic.