URL Categorization in SSL and Policy Lookup Work-Flow
Created On 09/26/18 13:54 PM - Last Updated 04/21/20 20:56 PM
PAN-OS performs URL Category lookup for URLs encountered in HTTP headers and SSL Handshake payloads, as long as a valid URL Filtering License is installed. Using URL Category in policy evaluation and applying URL-Filtering profile action is subject to a couple of conditions as highlighted below.
HTTP Connection - Clear-Text Traffic:As soon as the URL is encountered in an HTTP header, PAN-OS will derive the URL category and use the URL category to look-up the relevant security policy (along with all the information already available including the app-id). If the selected security-policy has a URL Filtering Profile attached to it, then the URL category action defined in the URL filtering profile will be taken.
In the following sections, the focus will be on SSL connections. The work-flow depends on whether the SSL connection is subjected to decryption using SSL Forward-Proxy feature.
Note-1: As of PAN-OS 8.1, the URL Category can be added as a match condition in Security Policies, QoS Policies, Decryption Policies, and Authentication Policies. The focus will be on Decryption Policies and Security Policies in this article.
Note-2: Although the article refers to SSL, the correct term is indeed TLS.
- PAN-OS 8.1 and above.
- Palo Alto Firewall.
SSL Decryption is enabled and is applicable:
- As soon as SSL Client Hello is processed by PAN-OS, the app-id is set to SSL.
- PAN-OS will perform a security-policy re-evaluation with the additional information of app-id = SSL
- In case the Client Hello SNI is present, then PAN-OS will derive the URL Category, which in case of www.example.com is "computer-and-internet-info"
- At this point, the URL category is used by PAN-OS to lookup decryption-policies alone. With this PAN-OS SSL Forward Proxy functionality is engaged.
- It is important to note that PAN-OS will not use the URL Category to re-evaluate security policies. Neither does it apply the URL category action defined in the relevant URL filtering profile. and the justification is:
a) The URL category is derived using the FQDN as presented by the Client (web-browser); PAN-OS makes an informed decision that the application using the SSL connection will likely present the full URL (URL including the File location - www.example.com/images/amsterdam.png), which will be visible post-decryption and it may match a custom URL category.
b) URL categorization and filtering action will strictly apply to HTTP based traffic and during SSL handshake, it is not guaranteed that HTTP traffic will flow through the SSL channel.
c) If the URL Category action requires PAN-OS to present a response-page over HTTP to the end-user, it will have to wait until the SSL handshake is complete.
- If a decrypted SSL connection terminates gracefully without sending any application data or if the SSL connection does not send any HTTP data, then the traffic logs will show incorrect security-policies aka rules if URL-Category match conditions are configured, because they are ignored by design.
Note: The justification provided above may not be fool-proof, however as described, the change in work-flow is the current design.