SSH Deep Packet Inspection

The Secure Shell (SSH) is a protocol which uses for secure remote login and other secure network services over an insecure network. SSH allows tunneling, which can be used to bypass firewalls and breach Security Policies.

You can use the SSH Deep Packet Inspection ("SSH DPI") feature to decrypt and encrypt SSH traffic and let Threat Prevention protect against advanced threats, bots, and other malware.

There are two modes of inspection:

  • Transparent inspection - Requires importing the public key and private key of the inspected server to the gateway.

  • Non-transparent inspection - Requires importing only the public key of the inspected server to the gateway.

SSH DPI Architecture

Similar to HTTPS Inspection, SSH DPI works as the man-in-the-middle.

SSH_CLIENT <=> Security Gateway <=> SSH_SERVER

Note - All TCP traffic should pass through the Security Gateway.

Enabling SSH Deep Packet Inspection on the Security Gateway

Disabling SSH Deep Packet Inspection on the Security Gateway

Viewing SSH DPI Status

Note - All SSH inspection settings survive Security Gateway reboot.

Configuring SSH Deep packet Inspection

Add an inspected SSH server

SSH Deep Packet Inspection Settings

Client Authorization (authorization by keys - without passwords)

Cluster

Currently, we do not support keys syncing between cluster nodes automatically.

Troubleshooting

Debugging