How to identify url information on SSL traffic without decryption
How to identify URL information on SSL traffic without decryption
- Palo Alto Firewall.
- Any PAN-OS.
Palo Alto Networks firewall identifies web traffic that use HTTPS without performing decryption by Server Name Indication (SNI)
Here in our example we have configured deny security policy that blocks Facebook-base and Facebook-chat
In the SSL handshake the firewall receives Client Hello packet and identify Server Name Indication field in the SSL Handshake Protocol.
- The SNI is used for URL categorization when SSL decryption is not enabled.
- If the client does not send the SNI, then the Common Name (CN) which represents the server name protected by the SSL certificate is used for URL categorization.
- Putting the hostname of the web server in the allow or block list of a URL filtering profile will essentially accomplish the same goal as using the CN to enforce policy.
- The firewall maintains a cache of URL categorizations on both the data plane and the management plane. If the host name contained in the SNI does not exist in either cache, the firewall will perform a lookup in the cloud for its URL category.