Focus

Configure SSH Proxy

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Configure SSL Inbound Inspection

Configure Server Certificate Verification for Undecrypted Traffic

Configure SSH Proxy

SSH Proxy decryption requires no certificates and decrypts inbound and outbound SSH sessions and ensures that attackers can’t use SSH to tunnel potentially malicious applications and content.

Configuring SSH Proxy does not require certificates and the key used to decrypt SSH sessions is generated automatically on the firewall during boot up. With SSH decryption enabled, the firewall decrypts SSH traffic and blocks and or restricts the SSH traffic based on your decryption policy and decryption profile settings. Traffic is re-encrypted as it exits the firewall.

When you configure SSH Proxy, the proxied traffic does not support DSCP code points or QoS.

Ensure that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces. Decryption can only be performed on virtual wire, Layer 2, or Layer 3 interfaces.
View configured interfaces on the NetworkInterfacesEthernet tab. The Interface Type column displays if an interface is configured to be a Virtual Wire or Layer 2, or Layer 3 interface. You can select an interface to modify its configuration, including what type of interface it is.
Create a Decryption Policy Rule to define traffic for the firewall to decrypt and Create a Decryption Profile to apply checks to the SSH traffic.

Although Decryption profiles are optional, it is a best practice to include a Decryption profile with each Decryption policy rule to prevent weak, vulnerable protocols and algorithms from allowing questionable traffic on your network.
1. Select PoliciesDecryption, Add or modify an existing rule, and define traffic to be decrypted.
2. Select Options and:
  - Set the rule Action to Decrypt matching traffic.
  - Set the rule Type to SSH Proxy.
  - (Optional but a best practice) Configure or select an existing Decryption Profile to block and control various aspects of the decrypted traffic (for example, create a Decryption profile to terminate sessions with unsupported versions and unsupported algorithms).
3. Click OK to save.
Commit the configuration.
(Optional) Continue to Decryption Exclusions to disable decryption for certain types of traffic.

Configure SSL Inbound Inspection

Configure Server Certificate Verification for Undecrypted Traffic

Next-Generation Firewall Docs

Configure SSH Proxy

Next-Generation Firewall Docs

Configure SSH Proxy

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner