Palo Alto Networks Knowledgebase: Details on Port Forwarding Inside SSH

Details on Port Forwarding Inside SSH

3821
Created On 07/17/19 21:11 PM - Last Updated 07/17/19 22:30 PM
Resolution

Enabling port forwarding on SSH makes it possible to tunnel other applications through SSH. But doing so could pose a security risk since users can circumvent the application-based security policies on the Palo Alto Networks device.

 

The Palo Alto Networks device addresses this risk with the SSH Proxy feature. A decryption policy can be configured on the device to decrypt SSH sessions. Under this policy, if users do any SSH port forwarding, remote forwarding, or X11, the session is determined to be an SSH tunnel. Consequently, action can be taken on the SSH tunnel application according to the security policies.

 

Important!

  1. The same "man in the middle" method for SSL decryption is used for SSH proxy.
  2. The Palo Alto Networks device supports only SSH version 2.
    If the client supports only SSH version 1, it should exit when it receives the version string from the Palo Alto Networks device.
  3. Content and threat inspection is not done on the SSH tunnel session.

 

See Also

How to Implement SSH Decryption on a Palo Alto Networks Device

 

owner: swhyte



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZFCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language