Why is Traffic matching incorrect security policy based on custom url category ?

Why is Traffic matching incorrect security policy based on custom url category ?

23300
Created On 01/15/20 22:43 PM - Last Modified 10/09/23 13:32 PM


Question


Why is traffic matching incorrect security policy based on custom url category ?

Environment


  • NGFW
  • Any PAN-OS

Answer


When an ssl session is created and processed, it will go through the following procedure:
  1. Security policy lookup, decide this app is ssl (the url-category is any at this time).
  2. Decryption policy lookup, decide whether to decrypt the traffic.
  3. Traffic decrypt, re-do security policy lookup for upcoming transactions. 

NOTE:
Due to this behavior we see logs being generated for traffic matching incorrect rule.
But in reality it is only allowing the TCP and SSL handshake.
Once the URL category and security policy is looked up, the decision is made to allow or deny the traffic.


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POF8CAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language