How to Implement SSH Decryption on a Palo Alto ...

| Palo Alto Networks Live 3/24/15, 2:16 PM

All Places > Knowledge Base > Documents

How to Implement SSH Decryption on a

Palo Alto Networks Device Version 10

created by pvemuri on Oct 17, 2013 11:27 AM, last modified by panagent on Oct 3, 2014 12:00 PM

Overview
PAN-OS has the ability to decrypt and inspect inbound and outbound SSH connections passing through the
firewall. For SSH decryption, there is no certificate necessary. The key used for decryption is automatically
generated when the firewall boots up. During the bootup process, the firewall checks to see if there is an existing
key. If not, a key is generated. This key will be used for decrypting SSH sessions for all VSYS configured on the
device. The same key will also be used for decrypting all SSH v2 sessions.

Steps
1. Go to Policies > Decryption on the web UI
2. Create a decryption rule and specify the zones where the ssh decryption should be performed.

3. You can also create a decryption profile to be applied to the rule:

https://live.paloaltonetworks.com/docs/DOC-6058 Page 1 of 3
How to Implement SSH Decryption on a Palo Alto ... | Palo Alto Networks Live 3/24/15, 2:16 PM

4. Commit the change.

The firewall sessions that are subject to decryption are identified by an asterisk. To view these sessions, use the
filter match * as shown below:
> show session all | match *
36496 ssh ACTIVE FLOW * 10.16.0.34[54618]/trust/6
(10.16.0.34[54618])
Note: The asterisk is used to identify both SSL and SSH decrypted sessions.

See Also
For more information on port forwarding inside SSH, see: Details on Port Forwarding Inside SSH.

owner: pvemuri

3261 Views Categories: Network , Policies , Setup, Management & Administration

Tags: ssh, decryption, implement, ssh_decryption

Average User Rating

https://live.paloaltonetworks.com/docs/DOC-6058 Page 2 of 3
How to Implement SSH Decryption on a Palo Alto ... | Palo Alto Networks Live 3/24/15, 2:16 PM

(3 ratings)

0 Comments

There are no comments on this document.

1.866.320.4788 Privacy Policy Legal Notices Site Index Subscriptions

Copyright 2007-2013 Palo Alto Networks

Home | Top of page | About Jive | Help 2007-2012 Jive Software |

https://live.paloaltonetworks.com/docs/DOC-6058 Page 3 of 3