Configure SSH Proxy on Palo Alto Networks Firewall
SSH Proxy decryption allows the firewall to decrypt and inspect SSH traffic, preventing the misuse of SSH tunnels for malicious purposes. Below are the steps to configure SSH Proxy on PAN-OS 11.0.
Prerequisites
Ensure interfaces are configured as Virtual Wire, Layer 2, or Layer 3. Decryption is supported only on these interface types.
SSH Proxy does not require certificates; the firewall automatically generates the necessary keys during boot-up.
Configuration Steps
Verify Interface Types:
Navigate to
Network > Interfaces
and ensure the relevant interfaces are set to Virtual Wire, Layer 2, or Layer 3.
Create a Decryption Policy Rule:
Go to
Policies > Decryption
and click
Add
.
Define the traffic to be decrypted (source, destination, service, etc.).
Under the
Options
tab:
Set
Action
to
Decrypt
.
Set
Type
to
SSH Proxy
.
Optionally, attach a
Decryption Profile
to enforce specific SSH protocol versions and algorithms.
Click
OK
to save the rule.
Commit the Configuration:
Click
Commit
to apply the changes.
Optional - Configure Decryption Exclusions:
For systems that require key-based authentication, configure decryption exclusions to bypass SSH Proxy for those systems.
SSH Proxy Overview
Purpose:
SSH Proxy decrypts inbound and outbound SSH sessions to prevent attackers from using SSH to tunnel potentially malicious applications and content.
Automatic Key Generation:
SSH decryption does not require certificates; the firewall automatically generates the key used for SSH decryption during boot-up.
Traffic Inspection:
The firewall examines each SSH channel's App-ID to identify the channel type (e.g., session, X11, forwarded-tcpip, direct-tcpip) and blocks SSH tunneling traffic accordingly.
Authentication Limitation:
SSH Proxy does not support public key authentication; clients must use username and password authentication. Systems requiring key-based authentication should be excluded from SSH decryption.
QoS Consideration:
Proxied SSH traffic does not support DSCP code points or QoS markings.
Security Policy Configuration:
To block SSH tunneling, configure a Security policy rule for the application 'ssh-tunnel' with the action set to 'Deny', along with a rule to allow traffic from the 'ssh' application.
Authentication Methods:
SSH Proxy does not support public key authentication. Clients must use username and password authentication. If certain systems require key-based authentication, consider excluding them from SSH decryption.
Traffic Inspection Limitations:
While SSH Proxy can identify and block SSH tunneling channels (like X11, forwarded-tcpip, direct-tcpip), it does not perform content inspection within these tunnels.
Quality of Service (QoS):
Proxied SSH traffic does not support DSCP code points or QoS markings.