Unable to see and forward SSH Proxy decryption logs

Unable to see and forward SSH Proxy decryption logs

1572
Created On 02/10/25 11:08 AM - Last Modified 03/25/25 21:12 PM


Symptom


  • When configuring an SSH Proxy decryption rule, Log settings part under Options becomes greyed out
  • SSH Proxy decrypted traffic is not showing in Decryption logs

GUI: Policies > Decryption > Add

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • SSH Proxy
  • Decryption

Cause


  • Unlike TLS decryption, SSH Proxy decryption cannot determine the specific application or type of traffic being tunneled. 
  • SSH Proxy decryption generates its own session key upon startup, which it uses to decrypt SSH sessions. This process does not rely on certificates.
  • Since there is no TLS handshake in SSH Proxy decryption, it is not possible to log Successful or Unsuccessful TLS handshake events, unlike with other decryption methods. 
  • The firewall can detect the presence of an SSH tunnel and either allow or deny it based on the configured security policies.

Resolution


  1. To forward the SSH-proxy related logs, configure the log forwarding under the respective security policy which will allow or deny the tunneled traffic.
  2. The decrypted traffic will be visible in Traffic logs as ssh-tunnel.

Additional Information


Decryption Overview

How to configure SSH-Proxy decryption
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sdMsCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail