Module 'CPSSH' (SSH Inspection)

R80.40 introduced SSH Deep Packet Inspection - decryption / encryption of SSH, extraction of files from SFTP/SCP, blocking of SSH port forwarding, and so on.

For more information, see the R81 Threat Prevention Administration Guide.

Syntax

• On the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / each Cluster Member Security Gateway that is part of a cluster., run in the Expert mode:

  fw ctl debug -m CPSSH + {all | <List of Debug Flags>}

• On the Scalable Platform Security Group, run in the Expert mode:

  g_fw ctl debug -m CPSSH + {all | <List of Debug Flags>}

Important - Also enable the debug flag "cpsshi" in Module 'fw' (Firewall).

Flag	Description
authentication	Detailed information about authentication
binary_packet	Detailed information about packets
conn_proto	Detailed information about connections
crypto	Encryption and decryption Note - Also see Module 'crypto' (SSL Inspection).
dump	Dumps the connection buffer
error	General errors
info	General information
mux_auth_app	Information about authentication Note - Also see Module 'MUX' (Multiplexer for Applications Traffic).
mux_conn_app	Information about connections Note - Also see Module 'MUX' (Multiplexer for Applications Traffic).
mux_decrypt_app	Information about decryption of connections Note - Also see Module 'MUX' (Multiplexer for Applications Traffic).
mux_encrypt_app	Information about encryption of connections Note - Also see Module 'MUX' (Multiplexer for Applications Traffic).
mux_inf	Internal flow Note - Also see Module 'MUX' (Multiplexer for Applications Traffic).
mux_stream	Internal flow Note - Also see Module 'MUX' (Multiplexer for Applications Traffic).
probe	Information about connections
session	Internal flow
sftp_parser	Parser of SFTP / SCP connections
state_machine	Information about the module State Machine
trans_proto	Information about client and server communication
warning	General warnings