Manual Chapter : Proxy SSH traffic with an SSH Proxy profile

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.0
Manual Chapter

Proxy SSH traffic with an SSH Proxy profile

Configure an SSH proxy security profile to allow or deny SSH channel actions to specific users on a virtual server.
  1. On the Main tab, click
    Security
    Protocol Security
    Security Profiles
    SSH Proxy
    .
    The Protocol Security: Security Profiles: SSH Proxy screen opens.
  2. Click
    Create
    .
    The New SSH Profile screen opens.
  3. In the
    Profile Name
    field, type a unique name for the profile.
  4. From the
    Lang Env Tolerance
    list, select which connections with LANG environment variables set are allowed to pass through if the SSH Proxy profile has the
    Other
    channel type permission (in the SSH Proxy Permissions rules) set to
    Disallow
    or
    Terminate
    .
    Any
    Allows connections with any LANG environment value set.
    Common
    Allows only connections with the LANG environment value set to
    en_US.UTF-8
    to pass through the Other restrictions.
    None
    Disallows all connections with the LANG environment variable set.
  5. In the
    Timeout
    field, specify the idle timeout, in seconds, to maintain an SSH session if there is no activity.
    A setting of
    0
    means that the SSH session never times out.
  6. Edit an existing rule, or add a new rule.
    • To edit an existing rule, click the name of the rule. For example, click
      Default Actions
      to edit the default rule for a profile.
    • To add a new rule, click
      Add New Rule
      . A new line is added to the list of rules. Add a name to the rule to begin editing.
  7. In the Users column, in the
    add new user
    field, type an SSH user name to which the rule applies, then click
    Add
    .
    You cannot add users to the
    Default Actions
    rule.
  8. Configure the settings for each SSH channel action.
    • To allow the session to be set up for the SSH channel action, select
      Allow
      .
    • To deny an SSH channel action, and send a
      command not accepted
      message, select
      Disallow
      . Note that many SSH clients disconnect when this occurs.
    • To terminate an SSH connection by sending a reset message when a channel action is received, select
      Terminate
      .
    In non-default rules, SSH channels have an
    Unspecified
    option, which means that for a specific user, if all the rules' actions (except default actions) are unspecified, then use the
    Default Action
    rule.
  9. To enable logging for an SSH action, select the
    Log
    check box.
    Before events are logged, you need to set up a log publisher and logging profile.
  10. When you finish editing
    • An existing rule, click
      Done Editing
      .
    • A new rule, click
      Add Rule
      .
  11. When you are finished adding and editing rules, click
    Commit Changes to System
    .
The SSH proxy profile is saved to the system.
To use an SSH proxy profile with a virtual server, attach the profile to a virtual server.