SSH Deep Packet Inspection

You can use the SSH Deep Packet Inspection ("SSH DPI") feature to decrypt and encrypt SSH traffic and let the Threat Prevention solution protect against advanced threats, bots, and other malware.

SSH DPI Architecture

Similar to HTTPS Inspection, SSH DPI works as the man-in-the-middle.

SSH_CLIENT <=> Security Gateway <=> SSH_SERVER

Note - All TCP traffic should pass through the Security Gateway.

Enabling SSH Deep Packet Inspection on the Security Gateway

Disabling SSH Deep Packet Inspection on the Security Gateway

Viewing SSH DPI Status

Note - All ssh inspection settings will be saved after Security Gateway reboot.

Configuring SSH Deep packet Inspection

Add an inspected SSH server

SSH Deep Packet Inspection Settings

Client Authorization (authorization by keys - without passwords)

Cluster

Currently, we do not support keys syncing between cluster nodes automatically.

Troubleshooting

Debugging

Known Limitations

  • SSH DPI is only supported for Security Gateways R80.40 and above, managed by Management Servers R80.40 and above.

  • Inspection of IPv6 connections is not supported.
  • Outbound inspection is not supported.

  • VSX is not supported.

  • There is no cluster synchronization.

  • Inspection of SSH Clients, which do not support 'Diffie-Hellman group exchange' algorithm, is not supported.

    Known list is:

    • Putty 0.64 and older versions are not supported.
    • OpenSSH 2.5.2 and older versions are not supported.
    • WinSCP 5.7.4 and older versions are not supported.
    • SecureCRT 5.2 and older