Configuring SSH Inspection

You configure SSH inspection rules at the security-policy ssh-inspection level. For more details on the command structure, see Configuring Rules Using UPL.

To create an SSH inspection rule, use the following command:

Admin@nodename# create security-policy ssh-inspection <position> upl-rule

SSH inspection rule parameters:

Parameter

Description

OK

PASS

SSH inspection rule action:

  • OK: decrypt

  • PASS: bypass

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

SSH inspection rule name.

Example: name("SSH inspection rule example").

desc

A description of the rule.

Example: desc("SSH inspection rule example configured in CLI").

rule_log

Log traffic information if the rule is triggered. The available options are:

  • rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled.

  • rule_log(yes) or rule_log(true): enable logging.

block_ssh_shell

Block SSH remote shell (command line interpreter). Available for rules with the Decrypt action:

  • block_ssh_shell(yes) or block_ssh_shell(true): enable blocking

  • block_ssh_shell(no) or block_ssh_shell(false): disable blocking.

block_ssh_exec

Block SSH remote execution. Available for rules with the Decrypt action:

  • block_ssh_exec(yes) or block_ssh_exec(true): enable blocking

  • block_ssh_exec(no) or block_ssh_exec(false): disable blocking.

ssh_command

The Linux command to transmit in the format

ssh user@host 'command'

Example: ssh_command("ssh root@192.168.1.1 reboot").

You can edit SSH commands for rules with the Decrypt action.

block_sftp

Block SFTP (Secure File Transfer Protocol) connection. Available for rules with the Decrypt action:

  • block_sftp(yes) or block_sftp(true)r: enable connection blocking

  • block_sftp(no) or block_sftp(false): disable connection blocking.

user

Users and user groups for which the SSH inspection rule applies (local or LDAP).

To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section).

Examples of adding users to a rule:

user = known user = "user" user = "testd.local\\user1" user = ("user", "testd.local\\user1")

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about how to configure zones using CLI, see the Zones section.

src.ip

Add source IP address or domain lists.

To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

dst.ip

Add lists of destination IP addresses or domains.

To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

dst.geoip

To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

service

Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring services groups).

To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...).

To specify a service group: service = lib.service(). Provide the services group name in parentheses.

time

Set a schedule for a rule.

To set a schedule: time = lib.time(). Specify a time set group name in parentheses.

To edit a SSH inspection rule, use the following command:

Admin@nodename# set security-policy ssh-inspection <position> upl-rule

To view all SSH inspection rules that were created, use the following command:

Admin@nodename# show security-policy ssh-inspection

To view a specific SSH inspection rule, use the following command:

Admin@nodename# show security-policy ssh-inspection <position>

Example of creating a SSH inspection rule using UPL:

Admin@nodename# create security-policy ssh-inspection 1 upl-rule OK \ ...service = ("Any TCP") \ ...block_ssh_shell(yes) \ ...block_sftp(yes) \ ...rule_log(yes) \ ...name("Test SSH inspection rule") \ ...desc("Test SSH inspection rule description") \ ...enabled(true) ... Admin@nodename# show security-policy ssh-inspection 1 % ----------------- 1 ----------------- OK \ service = "Any TCP" \ block_ssh_shell(yes) \ block_sftp(yes) \ desc("Test SSH inspection rule description") \ rule_log(yes) \ enabled(true) \ id(d703f390-896f-47c2-91bd-69c6d37aa6d2) \ name("Test SSH inspection rule")

To remove a SSH inspection rule, use the following command:

Admin@nodename# delete security-policy ssh-inspection <position>