Palo Alto Networks Knowledgebase: SSL Decryption Rules Not Matching FQDN
SSL Decryption Rules Not Matching FQDN
Created On 02/07/19 23:51 PM - Last Updated 02/07/19 23:51 PM
A rule is in place to prevent SSL decryption of a specific URL based on FQDN, but when accessing the website in question, SSL decryption still occurs
In order to determine if a connection needs to be decrypted or not, the firewall relies on the (CN) common name configured within the certificate and compares that to the security policy.
To fix this issue, the website's certificate needs to be examined to find the common name.
To find the common name:
Access the website with a browser
Open the certificate details
Look for the CN in the Subject section
In cases where an FQDN is specified within the 'custom url category' and there is a CN mismatch, intended categorization will fail as there will not be an exact match. This can be accomplished by populating the object within the 'custom url category' with the URL contained within CN. In order for an exact category match to occur, the security policy must be created to match the CN specified within the cert as opposed to the FQDN utilized to access the site.