Palo Alto Networks Knowledgebase: How to Prevent SSL Sessions from Being Re-categorized
How to Prevent SSL Sessions from Being Re-categorized
Created On 02/07/19 23:38 PM - Last Updated 02/07/19 23:39 PM
Zone and DoS Protection
Sessions identified as "SSL" application may be re-categorized as different applications due to the firewall is checking certain parameters from the SSL handshake. An example, is a server name from Client Hello message or common name of the server hello response certificate.
Re-categorizing the SSL application to a different one may deny the traffic, if the newly identified application is not allowed by the security rules.
For Example, a website is first identified as SSL. The Client server returns the information shown below:
Shortly after, it will be identified as "windows-azure" due to the Server Name value ("inno.blob.core.windows.net").
To prevent the issue, create a custom-application based on a signature that matches certain parameters from the SSL handshake.
By creating a custom application matching the signature Context "ssl-req-client-hello" and with the pattern for the Server Name in hex (which is "\x 696e6e6f2e626c6f622e636f72652e77696e646f77732e6e6574 \x" for the example above), the firewall will identify the traffic as the custom application.
A security rule needs to be configured to safely allow the custom application.