How to Implement SSH Decryption on a Palo Alto Networks Device

How to Implement SSH Decryption on a Palo Alto Networks Device

37598
Created On 09/25/18 17:51 PM - Last Modified 06/02/23 01:45 AM


Resolution


Overview

PAN-OS can decrypt and inspect inbound and outbound SSH connections passing through the firewall. For SSH decryption, there is no certificate necessary. The key used for decryption is automatically generated when the firewall boots up. During the bootup process, the firewall checks to see if there is an existing key. If not, a key is generated. This key is for decrypting SSH sessions for all VSYS configured on the device. The same key is used for decrypting all SSH v2 sessions.

 

Steps

  1. Go to Policies > Decryption on the web UI.
  2. Create a decryption rule and specify the zones where the ssh decryption should be performed.
    ssh.png
  3. You can also create a decryption profile to be applied to the rule:
    profssh.png
  4. Commit the change.

 

The firewall sessions that are subject to decryption are identified by an asterisk. To view these sessions, use the filter “match *” as shown below:

> show session all | match *

36496 ssh ACTIVE FLOW * 10.16.0.34[54618]/trust/6

(10.16.0.34[54618])

Note: The asterisk is used to identify both SSL and SSH decrypted sessions.

 

See Also

For more information on SSH proxy, see: SSH proxy

 

owner: pvemuri
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKgCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language