Palo Alto Networks Knowledgebase: Facebook Blocked without SSL Decryption Enabled

Facebook Blocked without SSL Decryption Enabled

2921
Created On 02/07/19 23:39 PM - Last Updated 02/07/19 23:40 PM
Policy
Resolution

Issue

Rules have been added to block the Facebook application. and there is no SSL decryption policy, yet Facebook is able to be blocked.

Screen Shot 2014-09-21 at 1.44.31 PM.png

Traffic logs also shows the application as 'facebook-base' rather than SSL.

Screen Shot 2014-09-21 at 1.46.30 PM.png

 

Cause

Some websites, such as facebook.com, have been using SSL to deliver content, so the end PC establishes an SSL channel to facebook.com. Then the firewall loses visibility into the traffic and sees only the traffic going through the application as 'SSL.'

 

An inspection is done before the SSL handshake is completed on the client hello, as shown below.

If the extension is: server_name=www.facebook.com, the firewall sends a TCP RST packet to the client immediately by using the server's source IP address to terminate the session.

This is how the session is blocked and how the firewall recognizes the application as 'facebook-base' rather than just generic SSL.

 

Screen Shot 2014-09-21 at 1.50.37 PM.png

 

owner: mzhou



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClyjCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language