How to identify url information on SSL traffic without decryption

How to identify URL information on SSL traffic without decryption

• Palo Alto Firewall.
• Any PAN-OS.

Palo Alto Networks firewall identifies web traffic that use HTTPS without performing decryption by Server Name Indication (SNI)
Here in our example we have configured deny security policy that blocks Facebook-base and Facebook-chat

 




In the SSL handshake the firewall receives Client Hello packet and identify Server Name Indication field in the SSL Handshake Protocol. 
    

Note:

• The SNI is used for URL categorization when SSL decryption is not enabled.
• SSL Client Hello should be right after the 3-way handshake as per normal protocol packet flow. Sometimes there is custom SSL communication triggered from agents(not web browsers) that send some data prior to Client Hello. In this case the SSL decoder will not even come into play, app-id will be potentially identified as unknown-tcp hence URL Category match will not work.
• If the client does not send the SNI, then the Common Name (CN) which represents the server name protected by the SSL certificate is used for URL categorization. This is applicable only when the server hello is received on the firewall and if it contains the SSL certificate (If the connection is terminated before the server hello is received, then the cn cache will not be populated).
• Putting the hostname of the web server in the allow or block list of a URL filtering profile will essentially accomplish the same goal as using the CN to enforce policy.
• The firewall maintains a cache of URL categorizations on both the data plane and the management plane. If the hostname contained in the SNI does not exist in either cache, the firewall will perform a lookup in the cloud for its URL category.

How to prevent SSL sessions from being re-categorized 
How to create a custom application for SSL traffic using the SNI field