https://live.paloaltonetworks.com/t5/general-topics/can-pa-be-possible-for-content-inspection-after-ssh-decryption/m-p/47851#M35174 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The statement means that you cannot identify the actual application that is using the ssh tunnel nor you can scan the content.</P><P></P><P>PA can identify if the traffic send in the tunnel is pure ssh (e.g. CLI of a device using ssh) and differentiate when an application is using ssh to sneak through the firewall.</P><P></P><P>As conclusion, you can block applications that use ssh tunnel but you cannot identify which app is actually tunneling within ssh.</P></BODY></HTML> Tue, 10 Mar 2015 13:40:14 GMT gbogojevic 2015-03-10T13:40:14Z https://live.paloaltonetworks.com/t5/general-topics/can-pa-be-possible-for-content-inspection-after-ssh-decryption/m-p/47850#M35173 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Can PA be possible for content inspection after ssh decryption?</P><P></P><P>I looked the below document.</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-4498">Details on Port Forwarding Inside SSH</A></P><P>This document mentioned the following comment.</P><P>"Content and threat inspection is not done on the SSH tunnel session"</P><P>I don't know that It means whether only 'ssh-tunnel' application or both 'ssh' &amp; "ssh-tunnel' after ssh decryption.</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">I need your help.</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Thanks,</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">SC Hong </SPAN></P></BODY></HTML> Tue, 10 Mar 2015 13:23:45 GMT https://live.paloaltonetworks.com/t5/general-topics/can-pa-be-possible-for-content-inspection-after-ssh-decryption/m-p/47850#M35173 schong 2015-03-10T13:23:45Z https://live.paloaltonetworks.com/t5/general-topics/can-pa-be-possible-for-content-inspection-after-ssh-decryption/m-p/47851#M35174 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The statement means that you cannot identify the actual application that is using the ssh tunnel nor you can scan the content.</P><P></P><P>PA can identify if the traffic send in the tunnel is pure ssh (e.g. CLI of a device using ssh) and differentiate when an application is using ssh to sneak through the firewall.</P><P></P><P>As conclusion, you can block applications that use ssh tunnel but you cannot identify which app is actually tunneling within ssh.</P></BODY></HTML> Tue, 10 Mar 2015 13:40:14 GMT https://live.paloaltonetworks.com/t5/general-topics/can-pa-be-possible-for-content-inspection-after-ssh-decryption/m-p/47851#M35174 gbogojevic 2015-03-10T13:40:14Z