The administrator can use this section to configure the inspection of data transmitted using the SSH (Secure Shell) protocol. SSH also allows encrypted tunnels to be created for virtually any network protocol.
The rules in this section can inspect SSH traffic for specific users and/or user groups, source or destination zones or addresses, as well as service types that transmit traffic via the SSH tunnel. There is a feature called Time sets that can be used to apply each rule depending on the day of the week and time of the day.
To enable SSH content inspection, follow these steps:
|
Name |
Description |
|---|---|
|
Step 1. Allow the SSH proxy service in the desired zone. |
In the Network ➜ Zones section, allow the SSH proxy service for the zone from which SSH traffic will originate. |
|
Step 2. Create the desired SSH inspection rules. |
An SSH inspection rule defines the criteria and actions applied to SSH traffic. |
To create an SSH inspection rule, go to the Security policies ➜ SSH inspection section, click Add, and provide the desired settings.
|
Name |
Description |
|---|---|
|
Enabled |
Enables or disables the rule. |
|
Name |
The name of the rule. |
|
Description |
A description of the rule. |
|
Action |
Whether to decrypt data in transit. |
|
Enable logging |
Instances of the rule being triggered will be recorded in the SSH inspection log. |
|
Block SSH remote shell |
Prohibition of launching the command interpreter on the SSH server. The user will only be allowed to run commands on the remote server, for example: ssh user@host command |
|
Block SSH remote execution |
Prohibition of remote execution of any commands on the SSH server. |
|
Edit SSH commands |
Optionally to block remote execution of commands via SSH, you can specify a list of specific commands whose remote execution will be blocked. |
|
Block SFTP |
Block SFTP (Secure File Transfer Protocol) connections. |
|
Place to |
The place in the rule list where this rule will be inserted: at the top, at the bottom, or above the selected existing rule. |
|
Users |
The list of users and groups to which this rule is applied. The Any, Unknown, and Known user types can be used. To apply rules to specific users or Known users, user identification needs to be configured. For more details on user identification, see the Users and Devices chapter. |
|
Source |
The source zones and/or IP address lists for the traffic. Important! The maximum number of GeoIPs that can be specified is limited to 15. Important! The traffic processing logic is as follows:
For more details on working with IP address lists, see the chapter IP Addresses. |
|
Destination address |
The lists of destination IP addresses for the traffic. Important! The maximum number of GeoIPs that can be specified is limited to 15. Important! The traffic processing logic is as follows:
For more details on working with IP address lists, see the chapter IP Addresses. |
|
Service |
The service for which traffic is to be decrypted. This field is required. |
|
Time |
The time period in which this rule is active. You can add different types of time period in the Time Sets section. |
|
Usage |
The trigger statistics for the rule: the total trigger count and the time of the first and last trigger. To reset the trigger count, select the rules in the list and click Reset hit counts. |
|
History |
The time the rule was created and last changed as well as the related event log entries, such as rule added, rule updated, rule list position changed etc. |