Currently it is possible to tunnel other applications through SSH by enabling port forwarding on SSH. This can be considered a security risk because a user could potentially circumvent the application based security policies on the Paloalto device. The Paloalto device is able to address this risk with the ssh proxy feature. Via a decryption policy, you can configure the PA to decrypt a ssh session and if the users does any ssh port forwarding, remote forwarding or X11, the session will be determined to be ssh tunnel. In turn action can be taken on the ssh tunnel application according to the security policies. It is important to note the following: 1. The same "man in the middle" method for SSL decryption is used for SSH proxy. 2. Also, currently the PA only supports SSH version 2.....(if the client only supports SSH version 1, when it receives the version string from the Paloalto device, it should exit). 3. Content and threat inspection is not done on the SSH Tunnel session.
... View more