🔐 Palo Alto SSH Proxy – Configuration, Troubleshooting & PCNSE Guide

1. Overview

SSH Proxy enables Palo Alto Networks firewalls to decrypt and inspect SSH traffic, preventing the use of SSH for tunneling malicious applications and content. It supports both inbound and outbound SSH sessions and operates by establishing separate SSH sessions with the client and the server.

2. Configuration Steps

Ensure Interface Types: SSH Proxy decryption can be performed on virtual wire, Layer 2, or Layer 3 interfaces.
Create Decryption Policy Rule:
- Navigate to Policies > Decryption .
- Define a rule with the following settings:
  - Action: Decrypt
  - Type: SSH Proxy
- Attach a Decryption Profile to control aspects like unsupported SSH versions and algorithms.
Commit Configuration: Save and commit the changes to apply the configuration.
(Optional) Create Decryption Exclusions: Exclude specific traffic from decryption as needed.

Note: SSH Proxy does not require certificates; the firewall automatically generates the key used for SSH decryption during boot-up.

3. Common Issues and Troubleshooting

Unsupported Algorithms: Ensure that the SSH versions and algorithms used are supported by the firewall. Unsupported parameters can cause decryption failures.
SSH Tunneling: The firewall cannot decrypt traffic within an SSH tunnel. To prevent this, configure a Security policy rule to deny the ssh-tunnel application.
Authentication Failures: SSH Proxy does not support public key-based authentication. Use username and password authentication, or exclude systems requiring key-based authentication from decryption policies.
QoS Limitations: Proxied SSH traffic does not support DSCP code points or QoS.

4. PCNSE Exam Insights

For PCNSE exam preparation, understand the following about SSH Proxy:

Decryption Policy Types: The firewall provides three types of decryption policy rules: SSL Forward Proxy, SSL Inbound Inspection, and SSH Proxy. ( Exam Discussion )
Certificate Requirements: Configuring SSH Proxy does not require certificates; the key used to decrypt SSH sessions is generated automatically on the firewall during boot-up. ( Exam Discussion )
Decryption Profiles: Decryption profiles can be attached to policy rules to apply granular access settings to traffic, such as checks for unsupported modes and failures. ( Exam Discussion )

5. Packet Flow Diagram

sequenceDiagram participant Client participant Firewall participant Server Client->>Firewall: SSH Connection Request Firewall->>Server: SSH Connection Request Server->>Firewall: SSH Response Firewall->>Client: SSH Response with Proxy Key Client->>Firewall: Encrypted Data Firewall->>Server: Encrypted Data Server->>Firewall: Encrypted Response Firewall->>Client: Encrypted Response