Implementation details
The PAN-OS firewalls act as the man-in-the-middle, proxying the SSH connections in order to
decrypt them. The current implementation supports only SSH v2. The diagram below shows a high
level overview of a firewall proxying the SSH connection.
Key generation
The key used for decryption is auto generated when the firewall boots up. During the bootup the
firewall checks to see if there is an existing key. If not, a key is generated. This key will be used for
decrypting SSH sessions for all VSYS configured on the device. The same key will be for
decrypting all SSH v2 sessions
Note: In a HA cluster, the keys are synchronized between devices. The client will not be prompted
to accept new keys when a device in a cluster fails.
In order to prevent SSH tunneling, a security rule with the application SSH-Tunnel and the action,
deny must be configured. A SSH decryption rule to decrypt traffic is also required. In the example
shown below, a security policy to deny a SSH tunnel between any hosts is created. Also a SSH
decrypt rule, with the option to permit traffic in case the session cannot be decrypted, is defined.
Security Policy
Decrypt Rule
If the server and client support only SSH v1, the SSH decrypt rule can be configured to either drop
or skip SSH decryption of the connection. If the rule is configured to allow, when the client initiates
a SSH v1 connection, the server and client IP addresses will be added to the exclude cache in
order to bypass decryption. Once the client and the server IP addresses are in the cache, all
subsequent SSH connections between this pair of hosts will be exempt from SSH decryption.
During the process of adding the client and server IPs to the exclude cache, the first connection
attempt will fail. The firewall monitors the server response to verify that the server supports only
version1 before adding it to the exclude cache. The client will have to reinitiate the connection to
the server. The exclude cache can be viewed using the command show system setting
ssl-decrypt exclude-cache. The default timeout of the cache is 43200 seconds. This
is not user configurable.
The cache can be cleared using the operational command debug dataplane reset
ssl-decrypt exclude-cache
Case 4: Client and server use unsupported encryption and MAC methods
In the case where the cipher and MAC arent supported, the decrypt rule can be set to either drop
connections or bypass them. If set to allow and decrypt fails, the source and destination IP address
pair is added to the exclude cache.
Verification
The firewall sessions that are subject to decryption are identified by an asterisk. To view specific
sessions you can use the filter match * as shown below. Note the asterisk is used to identify both
the SSL and SSH decrypted sessions.
Traffic logs for the sessions subject to decryption can be viewed from the traffic logs under the
Monitor section.
Summary
The fundamental architecture of Palo Alto Networks next-generation firewalls provides network
security by enabling enterprises to see and control applications, users, and content not just ports,
IP addresses, and packets using three unique identification technologies: App-ID, User-ID, and
Content-ID. These features are complimented by robust hardware which is designed to provide
separation of control plane and data plane This separation ensures highly available management,
high speed logging and route updates, while the dataplane does all the security processing.
Combined with features like SSH tunnel control , they reinforce security in the network.