F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Center
  3. BIG-IP AFM: Network Firewall Policies and Implementations
  4. Protocol Security
  5. SSH Protocol Security
  6. Secure SSH traffic with the SSH Proxy
  7. Proxy SSH traffic with an SSH Proxy profile
Manual Chapter : Proxy SSH traffic with an SSH Proxy profile

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Proxy SSH traffic with an SSH Proxy profile

Configure an SSH proxy security profile to allow or deny SSH channel actions to specific users on a virtual server.
  1. On the Main tab, click
    Security
    Protocol Security
    Security Profiles
    SSH Proxy
    .
    The Protocol Security: Security Profiles: SSH Proxy screen opens.
  2. Click
    Create
    .
    The New SSH Profile screen opens.
  3. In the
    Profile Name
     field, type a unique name for the profile.
  4. From the
    Lang Env Tolerance
     list, select which connections with LANG environment variables set are allowed to pass through if the SSH Proxy profile has the
    Other
     channel type permission (in the SSH Proxy Permissions rules) set to
    Disallow
     or
    Terminate
    .
    Any
    Allows connections with any LANG environment value set.
    Common
    Allows only connections with the LANG environment value set to
    en_US.UTF-8
     to pass through the Other restrictions.
    None
    Disallows all connections with the LANG environment variable set.
  5. In the
    Timeout
     field, specify the idle timeout, in seconds, to maintain an SSH session if there is no activity.
    A setting of
    0
     means that the SSH session never times out.
  6. Edit an existing rule, or add a new rule.
    • To edit an existing rule, click the name of the rule. For example, click
      Default Actions
       to edit the default rule for a profile.
    • To add a new rule, click
      Add New Rule
      . A new line is added to the list of rules. Add a name to the rule to begin editing.
  7. In the Users column, in the
    add new user
     field, type an SSH user name to which the rule applies, then click
    Add
    .
    You cannot add users to the
    Default Actions
     rule.
  8. Configure the settings for each SSH channel action.
    • To allow the session to be set up for the SSH channel action, select
      Allow
      .
    • To deny an SSH channel action, and send a
      command not accepted
       message, select
      Disallow
      . Note that many SSH clients disconnect when this occurs.
    • To terminate an SSH connection by sending a reset message when a channel action is received, select
      Terminate
      .
    In non-default rules, SSH channels have an
    Unspecified
     option, which means that for a specific user, if all the rules' actions (except default actions) are unspecified, then use the
    Default Action
     rule.
  9. To enable logging for an SSH action, select the
    Log
     check box.
    Before events are logged, you need to set up a log publisher and logging profile.
  10. When you finish editing
    • An existing rule, click
      Done Editing
      .
    • A new rule, click
      Add Rule
      .
  11. When you are finished adding and editing rules, click
    Commit Changes to System
    .
The SSH proxy profile is saved to the system.
To use an SSH proxy profile with a virtual server, attach the profile to a virtual server.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information