SSH DPI

You can use the SSH Deep Packet Inspection ("SSH DPI") feature to decrypt and encrypt SSH traffic and let the Threat Prevention solution protect against advanced threats, bots, and other malware.

The SSH Deep Packet Inspection (DPI) was integrated as part of the Quantum Spark alignment to R81.10, starting in R81.10.05.

With SSH DPI you can:

• Block SSH attacks

• Block the transmission of viruses through SFTP protocols.

• Prevent UserCheck rule action that blocks traffic and files and can show a UserCheck message. brute force password cracking of SSH/SFTP servers.

• Prevent the dangerous use of SSH Port forwarding

• Prevent the use of simple passwords such as "password" when connecting to SSG/SFTP

• Prevent the use of vulnerable cryptography

• Prevent the use of vulnerable SSH clients and servers

• Prevent the use of port 22 for protocols other than SSH

Note - Currently these blades are supported: Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. and IPS.

Important - SSH DPI is disabled by default.

To see the current SSH DPI status:

1. Connect to the command line on the Security Gateway A dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

2. Log in to the Expert mode:

   expert

3. Examine the current SSH DPI status:

   cpssh_config istatus

To enable SSH DPI:

Note - The SSH DPI is disabled by default.

1. In SmartConsole > Security Gateway, enable the Anti-Virus and IPS Software Blades and click OK.

2. Copy the public key from your SSH server (on a Linux-based server, usually it is located in /etc/ssh/ssh_host_rsa_key.pub or /pfrm2.0/etc/ssh_rsa_host_key.pub) to the Security Gateway to some directory (for example: /home/admin).

3. Connect to the command line on the Security Gateway.

4. Log in to the Expert mode:

   expert

5. Run on the Security Gateway:

   cpssh_config -s -g <IP_Address_or_FQDN_of_SSH_Server> -e </Path/To/Public_Key_File_of_SSH_Server>

   Where:

   • <IP_Address_or_FQDN_of_SSH_Server> is the IP address or the FQDN (for example: my_ssh_server.com) of the SSH server.

   • </Path/To/Public_Key_File_of_SSH_Server> is the path on the Security Gateway to the public key file from the SSH server (for example: /home/admin/ssh_host_rsa_key.pub)

6. Enable SSH DPI on the Security Gateway:

   cpssh_config ion

7. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., install the Threat Prevention policy on the Security Gateway object

Alternatively, on the Security Gateway CLI, run: fw fetch local

Internal Note - In the Locally Managed mode, run: fw_configload

Restart the SFWD daemon:

sfwd_restart

To disable SSH DPI:

1. Connect to the command line on the Security Gateway.

2. Log in to the Expert mode:

   expert

3. Disable SSH DPI:

   cpssh_config ioff

To show the SSH public keys:

1. Connect to the command line on the Security Gateway.

2. Log in to the Expert mode:

   expert

3. Examine the SSH public keys:

   cpssh_config -v -s

To collect the kernel debug:

1. Connect to the command line on the Security Gateway.

2. Log in to the Expert mode:

   expert

3. Configure the kernel debug options:

   1. fw ctl debug 0

   2. fw ctl debug -buf 8200

   3. fw ctl debug -m fw + cpsshi

   4. fw ctl debug -m CPSSH all

4. Examine the kernel debug options:

   1. fw ctl debug -m fw

   2. fw ctl debug -m CPSSH

5. Replicate the issue.

6. Start the kernel debug:

   fw ctl debug -T -f &>/storage/debug.log

7. Stop the kernel debug:

   Press CTRL+C

8. Disable the kernel debug options:

   fw ctl debug 0

9. Get the debug output:

   /storage/debug.log