Enabling port forwarding on SSH makes it possible to tunnel other applications through SSH. But doing so could pose a security risk since users can circumvent the application-based security policies on the Palo Alto Networks device.
The Palo Alto Networks device addresses this risk with the SSH Proxy feature. A decryption policy can be configured on the device to decrypt SSH sessions. Under this policy, if users do any SSH port forwarding, remote forwarding, or X11, the session is determined to be an SSH tunnel. Consequently, action can be taken on the SSH tunnel application according to the security policies.
Important!
The same "man in the middle" method for SSL decryption is used for SSH proxy.
The Palo Alto Networks device supports only SSH version 2. If the client supports only SSH version 1, it should exit when it receives the version string from the Palo Alto Networks device.
Content and threat inspection is not done on the SSH tunnel session.