Documente Academic
Documente Profesional
Documente Cultură
created by pvemuri on Oct 17, 2013 11:27 AM, last modified by panagent on Oct 3, 2014 12:00 PM
Overview
PAN-OS has the ability to decrypt and inspect inbound and outbound SSH connections passing through the
firewall. For SSH decryption, there is no certificate necessary. The key used for decryption is automatically
generated when the firewall boots up. During the bootup process, the firewall checks to see if there is an existing
key. If not, a key is generated. This key will be used for decrypting SSH sessions for all VSYS configured on the
device. The same key will also be used for decrypting all SSH v2 sessions.
Steps
1. Go to Policies > Decryption on the web UI
2. Create a decryption rule and specify the zones where the ssh decryption should be performed.
https://live.paloaltonetworks.com/docs/DOC-6058 Page 1 of 3
How to Implement SSH Decryption on a Palo Alto ... | Palo Alto Networks Live 3/24/15, 2:16 PM
The firewall sessions that are subject to decryption are identified by an asterisk. To view these sessions, use the
filter match * as shown below:
> show session all | match *
36496 ssh ACTIVE FLOW * 10.16.0.34[54618]/trust/6
(10.16.0.34[54618])
Note: The asterisk is used to identify both SSL and SSH decrypted sessions.
See Also
For more information on port forwarding inside SSH, see: Details on Port Forwarding Inside SSH.
owner: pvemuri
https://live.paloaltonetworks.com/docs/DOC-6058 Page 2 of 3
How to Implement SSH Decryption on a Palo Alto ... | Palo Alto Networks Live 3/24/15, 2:16 PM
(3 ratings)
0 Comments
https://live.paloaltonetworks.com/docs/DOC-6058 Page 3 of 3