SSH Deep Packet Inspection

The Secure Shell (SSH) is a protocol which uses for secure remote login and other secure network services over an insecure network. SSH allows tunneling, which can be used to bypass firewalls and breach Security PoliciesClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

You can use the SSH Deep Packet Inspection ("SSH DPI") feature to decrypt and encrypt SSH traffic and let Threat Prevention protect against advanced threats, bots, and other malware.

There are two modes of inspection:

  • Transparent inspection - Requires importing the public key and private key of the inspected server to the gateway.

  • Non-transparent inspection - Requires importing only the public key of the inspected server to the gateway.

SSH DPI Architecture

Similar to HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi., SSH DPI works as the man-in-the-middle.

SSH_CLIENT <=> Security Gateway <=> SSH_SERVER

Note - All TCP traffic should pass through the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

Enabling SSH Deep Packet Inspection on the Security Gateway

Disabling SSH Deep Packet Inspection on the Security Gateway

Viewing SSH DPI Status

Note - All SSH inspection settings survive Security Gateway reboot.

Configuring SSH Deep packet Inspection

Add an inspected SSH server

SSH Deep Packet Inspection Settings

Client Authorization (authorization by keys - without passwords)

Cluster

Currently, we do not support keys syncing between clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. nodes automatically.

Troubleshooting

Debugging