I just set up SSH decryption, also known as SSH proxy on the palo alto.
When I look at the actual sessions, I do see a checked box near to decrypted, so according to me the decryption itself works.
I also got a warning about a man in the middle attack after I enabled the decryption, because the keys changed.
Now what I want to achieve, is that SFTP file transfers are being scanned for virusses.
I downloaded the eicar.com test file to an external VPS on the internet, and I did SFTP to transfer this eicar.com file to a server I have protected by the palo alto and with SSH proxy decryption enabled.
Even though the palo sees the traffic, marks it as decrypted, and on the security antivirus is enabled, the palo does not seem to care about the fact that a virus is being uploaded.
What am I missing here?
Thank you for the pointers.
Repeat your test with a WildFire test file that you can download from the WildFire portal. Palo doesn't seem to count eicar files as malicous (because their not) and test with these files I've found to not work reliably as a test with their services.
I actually did do the test with a couple of different files.
I used the eicar.com file, I use the "wildfire-test-pe-file.exe" file and I downloaded some actual malware.
Even though I see a hit in the decryption policy, I'm under the impression nothing is being scanned, because in the threats nothing at all shows up.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!