Palo Alto Networks Knowledgebase: How to Implement SSH Decryption on a Palo Alto Networks Device

How to Implement SSH Decryption on a Palo Alto Networks Device

Created On 09/25/18 17:51 PM - Last Updated 02/08/19 00:07 AM


PAN-OS can decrypt and inspect inbound and outbound SSH connections passing through the firewall. For SSH decryption, there is no certificate necessary. The key used for decryption is automatically generated when the firewall boots up. During the bootup process, the firewall checks to see if there is an existing key. If not, a key is generated. This key is for decrypting SSH sessions for all VSYS configured on the device. The same key is used for decrypting all SSH v2 sessions.


  1. Go to Policies > Decryption on the web UI.
  2. Create a decryption rule and specify the zones where the ssh decryption should be performed.
  3. You can also create a decryption profile to be applied to the rule:
  4. Commit the change.

The firewall sessions that are subject to decryption are identified by an asterisk. To view these sessions, use the filter “match *” as shown below:

> show session all | match *

36496 ssh ACTIVE FLOW *[54618]/trust/6


Note: The asterisk is used to identify both SSL and SSH decrypted sessions.

See Also

For more information on port forwarding inside SSH, see: Details on Port Forwarding Inside SSH.

owner: pvemuri

  • Print
  • Copy Link

Choose Language