Palo Alto Networks Knowledgebase: How to Prevent SSL Sessions from Being Re-categorized

How to Prevent SSL Sessions from Being Re-categorized

Created On 02/07/19 23:38 PM - Last Updated 02/07/19 23:39 PM
Device Management Initial Configuration Installation QoS Zone and DoS Protection


Sessions identified as "SSL" application may be re-categorized as different applications due to the firewall is checking certain parameters from the SSL handshake. An example, is a server name from Client Hello message or common name of the server hello response certificate.


Re-categorizing the SSL application to a different one may deny the traffic, if the newly identified application is not allowed by the security rules.

For Example, a website is first identified as SSL. The Client server returns the information shown below:


Shortly after, it will be identified as "windows-azure" due to the Server Name value ("").



To prevent the issue, create a custom-application based on a signature that matches certain parameters from the SSL handshake.

By creating a custom application matching the signature Context "ssl-req-client-hello" and with the pattern for the Server Name in hex (which is "\x 696e6e6f2e626c6f622e636f72652e77696e646f77732e6e6574 \x" for the example above), the firewall will identify the traffic as the custom application.

A security rule needs to be configured to safely allow the custom application.


owner: aciobanu

  • Print
  • Copy Link

Choose Language