Palo Alto Networks Knowledgebase: Facebook Blocked without SSL Decryption Enabled
Facebook Blocked without SSL Decryption Enabled
Created On 02/07/19 23:39 PM - Last Updated 02/07/19 23:40 PM
Rules have been added to block the Facebook application. and there is no SSL decryption policy, yet Facebook is able to be blocked.
Traffic logs also shows the application as 'facebook-base' rather than SSL.
Some websites, such as facebook.com, have been using SSL to deliver content, so the end PC establishes an SSL channel to facebook.com. Then the firewall loses visibility into the traffic and sees only the traffic going through the application as 'SSL.'
An inspection is done before the SSL handshake is completed on the client hello, as shown below.
If the extension is: server_name=www.facebook.com, the firewall sends a TCP RST packet to the client immediately by using the server's source IP address to terminate the session.
This is how the session is blocked and how the firewall recognizes the application as 'facebook-base' rather than just generic SSL.