Palo Alto Networks Knowledgebase: SSL Decryption Rules Not Matching FQDN

SSL Decryption Rules Not Matching FQDN

2667
Created On 02/07/19 23:51 PM - Last Updated 02/07/19 23:51 PM
URL Filtering
Resolution

Symptoms

A rule is in place to prevent SSL decryption of a specific URL based on FQDN, but when accessing the website in question, SSL decryption still occurs

 

Issue

In order to determine if a connection needs to be decrypted or not, the firewall relies on the (CN) common name configured within the certificate and compares that to the security policy.

 

Resolution

To fix this issue, the website's certificate needs to be examined to find the common name.

To find the common name:

  1. Access the website with a browser
  2. Open the certificate details
  3. Look for the CN in the Subject section

6-25-2012 3-07-04 PM.png

In cases where an FQDN is specified within the 'custom url category' and there is a CN mismatch, intended categorization will fail as there will not be an exact match. This can be accomplished by populating the object within the 'custom url category' with the URL contained within CN. In order for an exact category match to occur, the security policy must be created to match the CN specified within the cert as opposed to the FQDN utilized to access the site.

 

owner: bryan



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClR6CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language