topic SSH decryption policy in General Topics

SSH decryption policy

Sly_Cooper — Tue, 04 Sep 2012 07:47:54 GMT

Hi All,

We have recently deployed PA devices in our network as IPS. We have configured SSH proxy and provide an exception with negate policy for the hosts. I have a basic question regarding decryption rule. I am assuming all rules work like firewalls with src zone + hosts (if any) + dst zone + dst hosts (if any) and services. Is it true for decryption policies as well? We have configured policy to bypass SSH proxy and add src OR dst with "negate" checked. The policies were configured by someone else but I am somehow confused as I am believing that the policy works as src and dst and not src or dst. Please help me understand.

Re: SSH decryption policy

mikand — Tue, 04 Sep 2012 11:40:54 GMT

Stuff in the same decryption policy works as AND, while compared to a different policy it works as OR.

So it should be the same execution path as security policies have regarding top-down first-match.

A tricky part when it comes to decryption policies might be the "allow encrypted traffic" which a rule can have in case it cannot decrypt the matching traffic.

If a session (or packet) matches your particular decryption rule and "allow encrypted traffic" is not set then the flow will be blocked.

Re: SSH decryption policy

mharding — Tue, 04 Sep 2012 15:29:19 GMT

For my own sanity, I've never used the negate box.

In the scenario, I would create a policy with the exception list as a "no-decypt" and place it above the decryption rule.

Re: SSH decryption policy

Sly_Cooper — Tue, 04 Sep 2012 15:40:19 GMT

Thanks. The policy had been configured by different admin and hence I am tying to understand. Yes it makes sense and easy to have two policies with one for SSH proxy and another for bypass. Do you seen any issue with negate? I guess the same policy is acting like SSH proxy all except the negates hosts.

Re: SSH decryption policy

Sly_Cooper — Tue, 04 Sep 2012 15:42:04 GMT

I am new to Palo Alto firewalls but from firewall experience even I think the policy works with src and dst. I have also opened up case with support and waiting to get confirmation.

Re: SSH decryption policy

mharding — Tue, 04 Sep 2012 16:34:25 GMT

It really just comes down to preference. It should work either way, but if someone comes in behind to troubleshoot an problem, it's easier to understand the no-decrypt versus the negate visually.

Re: SSH decryption policy

Sly_Cooper — Wed, 05 Sep 2012 09:24:10 GMT

Coming to my original question.... How do you read policy below?

Zone Trust -> Src A + B (negate) -> to Zone Untrust Dst X, Y , Z (negate) -> Decrypt -> Type SSH proxy

Re: SSH decryption policy

mikand — Wed, 05 Sep 2012 09:28:51 GMT

I find it harder to read...

But my intepretation is:

srczone: trust

dstzone: untrust

srcaddress: any but A or B

dstaddress: any but X, Y or Z

unless you meant that you negated B and Z only and not all the selected ip/ranges :smileysilly:

Re: SSH decryption policy

Sly_Cooper — Wed, 05 Sep 2012 09:36:58 GMT

Basically the host are added (negate) to bypass the SSH proxy. Everything is working fine. But I was only confused on how it is interpreted. Is it src "and" dst negate pair OR src "or" dst negate individual hosts. Since it is working I am assuming that for negate it is not considering src and dst pair like standard policy.