https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341654#M85691 <P>For a home user who uses VPN to access internal network, how can we block all his SSH outbound connection to internet?</P> Fri, 31 Jul 2020 19:45:37 GMT Ivy_Vo 2020-07-31T19:45:37Z https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341654#M85691 <P>For a home user who uses VPN to access internal network, how can we block all his SSH outbound connection to internet?</P> Fri, 31 Jul 2020 19:45:37 GMT https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341654#M85691 Ivy_Vo 2020-07-31T19:45:37Z https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341657#M85692 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/150924">@Ivy_Vo</a>&nbsp;</P> <P>Are these computers managed by your company or are these devices owned by the users?</P> Fri, 31 Jul 2020 19:57:38 GMT https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341657#M85692 Remo 2020-07-31T19:57:38Z https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341660#M85693 <P>They use the company laptops, but how does that matter? Thanks!</P> Fri, 31 Jul 2020 19:59:54 GMT https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341660#M85693 Ivy_Vo 2020-07-31T19:59:54Z https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341668#M85695 <P>Ok, I actually does not matter who owns the laptop. It matters if these laptops are centrally managed for example with active directory. As you are asking this question I assume you have split tunneling configured and only traffic towards your internal network is sent through the vpn tunnel. In this case you would need to block the outgoing ssh connections towards the internet locally on these laptops.</P> <P>If you route everyrhing (0.0.0.0/0) into the tunnel, then simply create a rule on the firewall, but I thought this would be too easy for a question here <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 31 Jul 2020 20:20:27 GMT https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341668#M85695 Remo 2020-07-31T20:20:27Z https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341671#M85696 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/150924">@Ivy_Vo</a>,</P> <P>Are you tunneling all of the traffic through GlobalProtect or are you using split-tunnel. The question&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>&nbsp;mentioned is important because I'm assuming that you are using split-tunnel based off of your question.<BR /><BR />If you are tunneling all the traffic through GlobalProtect, you would simply build out a security rulebase entry that denies all ssh traffic from your GlobalProtect zone to your untrust zone. I'm guessing you're asking the question because this isn't the case.&nbsp;</P> Fri, 31 Jul 2020 20:22:36 GMT https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341671#M85696 BPry 2020-07-31T20:22:36Z https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341679#M85700 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>&nbsp;and&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>Thank you all for explanation! I'm very new to Palo Alto.</P><P>Yes that is the case. We are using GlobalProtect to tunneling all the traffics and having a policy to deny all ssh application from GP zones to Untrust Zone. The policy was created a week ago but we got 0 hit counts. I think there are other ways to do this or I might miss something...<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SSH.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27106iED8A971DDE9ACCEC/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="SSH.jpg" alt="SSH.jpg" /></span></P> Fri, 31 Jul 2020 20:58:21 GMT https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341679#M85700 Ivy_Vo 2020-07-31T20:58:21Z https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341680#M85701 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/150924">@Ivy_Vo</a>,</P> <P>Possibly a simple policy precedence issue. Is your policy to deny the traffic above the policy currently allowing said traffic or not?&nbsp;</P> Fri, 31 Jul 2020 21:00:11 GMT https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341680#M85701 BPry 2020-07-31T21:00:11Z https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341682#M85702 <P>Yes, it is above.</P> Fri, 31 Jul 2020 21:20:21 GMT https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341682#M85702 Ivy_Vo 2020-07-31T21:20:21Z https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341683#M85703 <P>The block rule is a userbased rule, is the connection maybe from a user not specified in this deny-rule?</P> Fri, 31 Jul 2020 21:42:46 GMT https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341683#M85703 Remo 2020-07-31T21:42:46Z https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341687#M85704 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/150924">@Ivy_Vo</a>,</P> <P>Might be a good idea to include one of the allow log entires you are still seeing for said user.&nbsp;</P> Fri, 31 Jul 2020 21:51:31 GMT https://live.paloaltonetworks.com/t5/general-topics/block-all-ssh-outbound/m-p/341687#M85704 BPry 2020-07-31T21:51:31Z