How to identify url information on SSL traffic without decryption

How to identify url information on SSL traffic without decryption

9373
Created On 02/07/20 18:26 PM - Last Modified 10/27/20 03:34 AM


Objective

How to identify URL information on SSL traffic without decryption



Environment
  • Palo Alto Firewall.
  • Any PAN-OS.


Procedure

Palo Alto Networks firewall identifies web traffic that use HTTPS without performing decryption by Server Name Indication (SNI)
Here in our example we have configured deny security policy that blocks Facebook-base and Facebook-chat


User-added image 


User-added image

In the SSL handshake the firewall receives Client Hello packet and identify Server Name Indication field in the SSL Handshake Protocol. 
    
User-added image


Additional Information

Note:

  • The SNI is used for URL categorization when SSL decryption is not enabled.
  • If the client does not send the SNI, then the  Common Name (CN) which represents the server name protected by the SSL certificate  is used for URL categorization.
  • Putting the hostname of the web server in the allow or block list of a URL filtering profile will essentially accomplish the same goal as using the CN to enforce policy.
  • The firewall maintains a cache of URL categorizations on both the data plane and the management plane. If the host name contained in the SNI does not exist in either cache, the firewall will perform a lookup in the cloud for its URL category.


How to prevent SSL sessions from being re-categorized 
How to create a custom application for SSL traffic using the SNI field 



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PObsCAG&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language