How to identify url information on SSL traffic without decryption

How to identify url information on SSL traffic without decryption

Created On 02/07/20 18:26 PM - Last Modified 10/27/20 03:34 AM


How to identify URL information on SSL traffic without decryption

  • Palo Alto Firewall.
  • Any PAN-OS.


Palo Alto Networks firewall identifies web traffic that use HTTPS without performing decryption by Server Name Indication (SNI)
Here in our example we have configured deny security policy that blocks Facebook-base and Facebook-chat

User-added image 

User-added image

In the SSL handshake the firewall receives Client Hello packet and identify Server Name Indication field in the SSL Handshake Protocol. 
User-added image

Additional Information


  • The SNI is used for URL categorization when SSL decryption is not enabled.
  • If the client does not send the SNI, then the  Common Name (CN) which represents the server name protected by the SSL certificate  is used for URL categorization.
  • Putting the hostname of the web server in the allow or block list of a URL filtering profile will essentially accomplish the same goal as using the CN to enforce policy.
  • The firewall maintains a cache of URL categorizations on both the data plane and the management plane. If the host name contained in the SNI does not exist in either cache, the firewall will perform a lookup in the cloud for its URL category.

How to prevent SSL sessions from being re-categorized 
How to create a custom application for SSL traffic using the SNI field 

  • Print
  • Copy Link

Choose Language