Palo Alto Networks Knowledgebase: How to Prevent SSL Sessions from Being Re-categorized

How to Prevent SSL Sessions from Being Re-categorized

1874
Created On 02/07/19 23:38 PM - Last Updated 02/07/19 23:39 PM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

Issue

Sessions identified as "SSL" application may be re-categorized as different applications due to the firewall is checking certain parameters from the SSL handshake. An example, is a server name from Client Hello message or common name of the server hello response certificate.

 

Re-categorizing the SSL application to a different one may deny the traffic, if the newly identified application is not allowed by the security rules.

For Example, a website is first identified as SSL. The Client server returns the information shown below:

 

Shortly after, it will be identified as "windows-azure" due to the Server Name value ("inno.blob.core.windows.net").

 

Resolution

To prevent the issue, create a custom-application based on a signature that matches certain parameters from the SSL handshake.

By creating a custom application matching the signature Context "ssl-req-client-hello" and with the pattern for the Server Name in hex (which is "\x 696e6e6f2e626c6f622e636f72652e77696e646f77732e6e6574 \x" for the example above), the firewall will identify the traffic as the custom application.

A security rule needs to be configured to safely allow the custom application.

 

owner: aciobanu



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClxQCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language