There is a way that internal users can send web traffic out over an SSH tunnel, and it would bypass your firewall, allowing an end-user to surf a blocked website and transfer files undetected. This article shows how to decrypt SSH Tunneling Traffic and block SSH Tunneling Traffic in Palo Alto Firewall.
Step 1 Create Decryption policy
- Go to Policies>Decryption and click Add to add Decrypting SSH.
2. Select trust as Source
3. Add untrust as Destination.
4.nCheck Decrypt in Options.
Step 2: Create a Security policy
- Go to Policies>Security and click Add to add Block SSH Tunneling..
2. Add trust in Source.
3. Add untrust to Destination.
4. Add ssh-tunnel in Application.
5. Action set Deny, check Log at Session End in Log Settings
Step 3: Commit.