PAN-OS: Configuring SSH Proxy Decryption

What is SSH Proxy Decryption?

SSH Proxy is the Palo Alto Networks feature for decrypting and inspecting Secure Shell (SSH) traffic. While SSH provides essential confidentiality for remote administration and file transfers (like SCP and SFTP), its encrypted nature creates a blind spot for security inspection. Malicious actors can abuse SSH tunnels for:

By enabling SSH Proxy decryption, the firewall can gain visibility into the SSH payload, allowing App-ID to potentially identify tunneled applications and enabling Threat Prevention (Anti-Spyware, Vulnerability Protection), File Blocking , and potentially Data Filtering profiles to inspect the content within SSH sessions.

This is distinct from SSL/TLS decryption, targeting port 22 (or other ports running SSH) specifically.

How SSH Proxy Works: MITM with Firewall Keys

Similar to SSL Forward Proxy, SSH Proxy operates as a Man-in-the-Middle (MITM):

  1. Client Initiates SSH Connection: An internal client initiates an SSH connection to an external (or internal) server.
  2. Firewall Intercepts: A Decryption Policy rule configured for SSH Proxy matches the session (based on port, usually TCP/22).
  3. Firewall Connects to Server: The firewall establishes its own separate SSH connection to the actual destination server. During this, it receives and typically validates the *real* server's public host key.
  4. Firewall Presents its Key to Client: The firewall presents its *own* unique SSH public host key (typically generated on-the-fly or a pre-generated dedicated key) to the initiating client, essentially pretending to be the destination server.
  5. Client Verification (CRITICAL STEP): The SSH client compares the public key presented by the firewall against its `known_hosts` file (or prompts the user if it's the first connection).
    • If Key is Accepted/Trusted: The user explicitly accepts the firewall's key (or strict host key checking is disabled), the SSH session is established between the client and the *firewall*.
    • If Key is Rejected: The client's strict host key checking detects a mismatch with a previously known key for that destination, or the user refuses to accept the new key. The connection fails, often with a "MAN-IN-THE-MIDDLE ATTACK" warning.
  6. Decryption and Inspection: With two separate SSH sessions active (Client<->Firewall and Firewall<->Server), the firewall decrypts traffic from the client, inspects the payload using enabled Security Profiles, re-encrypts it using the session key from the connection to the real server, and forwards it (and vice-versa).

The firewall essentially acts as an SSH proxy server, terminating the client's connection and initiating a new one to the destination server.

Prerequisites

Configuration Steps

  1. Configure SSH Proxy Settings in Decryption Profile:

    • GUI Path: Objects > Decryption > Decryption Profile
    • Click Add or edit an existing profile. Name it (e.g., `SSH-Proxy-Inspect-Profile`).
    • Navigate to the SSH Proxy tab.
    • Configure Failure Checks:
      • Check `Block sessions with unsupported versions` to prevent use of weak/legacy SSH versions.
      • Check `Block sessions with unsupported algorithms` to enforce strong key exchange, encryption, and MAC algorithms.
    • Click OK.

    These settings ensure only relatively secure SSH parameters are allowed through the decrypted session.

  2. Create a Decryption Policy Rule:

    • GUI Path: Policies > Decryption
    • Click Add .
    • Name: e.g., `Decrypt-Outbound-SSH`.
    • Source Tab: Define Source Zone(s) (e.g., `Trust`), Address(es), User(s).
    • Destination Tab: Define Destination Zone(s) (e.g., `Untrust`), Address(es).
    • Service/URL Category Tab:
      • Service: Select service-ssh (for TCP/22) or a custom service object if SSH runs on a non-standard port.
      • URL Category: Not applicable to SSH Proxy.
    • Options Tab (Crucial):
      • Action: Select `Decrypt` .
      • Type: Select `SSH Proxy` .
      • Decryption Profile: Select the Decryption Profile configured in Step 1 (e.g., `SSH-Proxy-Inspect-Profile`).
    • Click OK.
    • Place this rule appropriately in the Decryption policy list (top-down processing applies). Consider placing "No Decrypt" rules above it for specific SSH destinations that must not be proxied.

  3. Configure Supporting Security Policy & Profiles:

    • Ensure a Security Policy rule exists ( Policies > Security ) that allows the SSH traffic (e.g., Source `Trust`, Dest `Untrust`, Application `ssh` , Service `service-ssh` , Action `Allow`).
    • Crucially, attach relevant Security Profiles (Anti-Spyware, Vulnerability Protection, File Blocking) to this Security Policy rule. The inspection engines operate on the decrypted content based on the Security Policy context.

  4. Address Client Host Key Checking: (External Step / Critical Consideration)

    • Decide how client machines will handle the firewall presenting its proxy key instead of the real server's key. Options include:
      • Disabling strict host key checking on clients (reduces security).
      • Pre-populating client `known_hosts` files with the firewall's proxy key associated with proxied destinations (complex to manage).
      • Training users to manually accept the new key (prone to error, teaches bad habits).
      • Using SSH Certificate Authentication (more advanced, bypasses traditional host key checks if configured correctly).
    • Failure to address this will likely result in connection failures and user complaints.

  5. Commit Changes:

    Commit the configuration to the firewall.

Visualization 

sequenceDiagram
    participant Client as SSH Client
    participant FW as Firewall (SSH Proxy)
    participant Server as SSH Server

    Client->>+FW: 1. Initiate SSH Connection (to Server IP/Port 22)
    Note over FW: Decryption Policy matches (SSH Proxy)
    FW->>+Server: 2. Initiate SSH Connection
    Server-->>FW: 3. Presents Real Server Host Key
    Note over FW: Firewall validates/stores server key (optional)
    FW-->>Client: 4. Presents Firewall's Proxy Host Key
    alt Client Trusts/Accepts Key
        Client->>FW: 5a. Key Accepted, Continue SSH Handshake
        FW->>Server: 5b. Complete Handshake with Server
        Client-->>FW: 6a. Encrypted Session (Client <-> FW)
        FW-->>Server: 6b. Encrypted Session (FW <-> Server)
        Note over FW: Decrypt Client Traffic -> Inspect -> Re-encrypt for Server (and vice-versa)
    else Client Rejects Key
        Client-->>FW: 7. Key Rejected / Connection Error!
    end
    deactivate FW
    deactivate Server
Simplified SSH Proxy Decryption Flow.

Impact and Benefits

Caveats, Gotchas, and Considerations

Best Practices

PCNSE Exam Focus

For the PCNSE exam, regarding SSH Proxy:

SSH Proxy Decryption Quiz

1. What is the primary goal of configuring SSH Proxy decryption on a PAN-OS firewall?

SSH Proxy decrypts SSH traffic, enabling visibility into the payload so that Threat Prevention, File Blocking, and other security engines can inspect it for malicious activity or policy violations.

2. How does the firewall handle server authentication during SSH Proxy decryption?

The firewall acts as a MITM. It connects to the real server, but presents its *own* unique public host key to the client, essentially impersonating the server from the client's perspective for key exchange.

3. What is the most significant operational challenge or caveat when implementing SSH Proxy?

Because the firewall presents its own key, standard SSH clients with strict host key checking enabled will detect a key mismatch for known servers, leading to warnings or connection failures unless client configurations are adjusted or keys are pre-trusted.

4. Where is SSH Proxy decryption enabled for specific traffic flows?

Like SSL decryption, SSH decryption is controlled via Decryption Policy rules (Policies > Decryption). You create a rule matching the desired SSH traffic (port 22 or custom) and set the Action to 'Decrypt' and the Type to 'SSH Proxy'.

5. To detect malware being transferred via SFTP (SSH File Transfer Protocol), which two configurations are essential?

First, the SSH session carrying SFTP must be decrypted using an SSH Proxy Decryption rule. Second, the Security Policy rule allowing the App-ID `ssh` must have appropriate Security Profiles (Antivirus and/or WildFire) attached to inspect the decrypted file content.

6. What settings are configured within the SSH Proxy tab of a Decryption Profile?

The Decryption Profile's SSH Proxy tab primarily controls security parameters for the proxied connection, allowing administrators to block sessions attempting to use weak or outdated SSH versions or cryptographic algorithms.

7. If SSH Proxy decryption is enabled, what Application ID will typically be shown in the Traffic logs for the decrypted session?

Even with decryption providing payload visibility for threat/file inspection, App-ID generally still identifies the overall protocol as `ssh`. Identifying specific tunneled applications within SSH is much less common than with SSL decryption.

8. A Security Policy rule allowing App-ID `ssh` has Threat Prevention profiles applied. SSH Proxy is NOT enabled via Decryption policy. Can the Threat Prevention profiles inspect the SSH payload?

Security Profiles like Threat Prevention require visibility into the actual data payload. If SSH traffic is not decrypted via an SSH Proxy Decryption policy, the firewall cannot inspect the encrypted content for threats.

9. What is a recommended best practice when implementing SSH Proxy decryption?

Due to the potential for client-side issues (host key checking) and performance impact, it's best practice to apply SSH decryption only where needed for security, rather than enabling it broadly across all SSH traffic.

10. If an administrator disables strict host key checking on client machines to make SSH Proxy work smoothly, what is the associated security risk?

Strict host key checking is an important SSH security feature designed to detect MITM attacks by verifying if a server's host key has changed unexpectedly. Disabling it on the client removes this protection for *all* SSH connections made from that client, not just the ones proxied by the firewall.