You configure SSH inspection rules at the security-policy ssh-inspection level. For more details on the command structure, see Configuring rules using UPL.
Parameters for SSH inspection rules are listed below.
|
Parameter |
Description |
|---|---|
|
OK PASS |
SSH inspection rule action:
|
|
enabled |
Enable/disable a rule:
|
|
name |
SSH inspection rule name. Example: name("SSH inspection rule example"). |
|
desc |
A description of the rule. Example: desc("SSH inspection rule example configured in CLI"). |
|
rule_log |
Log traffic information if the rule is triggered. The available options are:
|
|
block_ssh_shell |
Block SSH remote shell (command line interpreter). Available for rules with the Decrypt action:
|
|
block_ssh_exec |
Block SSH remote execution. Available for rules with the Decrypt action:
|
|
ssh_command |
The Linux command to transmit in the format ssh user@host 'command' Example: ssh_command("ssh root@192.168.1.1 reboot"). You can edit SSH commands for rules with the Decrypt action. |
|
block_sftp |
Block SFTP (Secure File Transfer Protocol) connection. Available for rules with the Decrypt action:
|
|
user |
Users and user groups for which the SSH inspection rule applies (local or LDAP). To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see Configuring LDAP connectors). The following line describes how to add a local user (local_user) and group (Local Group), a user (example.local\AD_user), and an LDAP group (AD group):
user = (local_user, "CN=Local Group, DC=LOCAL", "example.loc\\AD_user", "CN=AD group, OU=Example, DC= example, DC=loc")The Active Directory domain example.loc has been already configured. When adding LDAP users and groups, you can specify a list of paths on the server, starting from which the system will search for users and groups. |
|
src.zone |
Traffic source zone. To specify a source zone, such as Trusted: src.zone = Trusted. For more details about configuring zones using the CLI, see Zones. |
|
src.ip |
Add source IP address or domain lists. Example for IP addresses: src.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. Example for domains: src.ip = lib.url(). Specify the URL to which necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. |
|
src.geoip |
Source GeoIP. Specify a country code (for example, src.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. |
|
dst.ip |
Add lists of destination IP addresses or domains. To specify an IP address list: dst.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. To specify a domain list: dst.ip = lib.url(). Specify the URL to which the necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. |
|
dst.geoip |
Destination GeoIP. Specify a country code (for example, dst.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. |
|
service |
Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring service groups). To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...). To specify a services group: service = lib.service(). Provide the services group name in parentheses. |
|
time |
Set a schedule for a rule. To set a schedule: time = lib.time(). Specify a time set group name in parentheses. For more details on configuring time sets, see Configuring time sets. |