How to enforce URL filtering policy on TLS handshakes for decrypted HTTPS sessions
27811
Created On 08/04/20 19:32 PM - Last Modified 10/10/23 08:32 AM
Objective
Please see KB article URL filtering lookup and enforcement differences between clear text HTTP and encrypted HTTPS traffic for context before implementing any of the following mitigations.
To enforce URL filtering policy on TLS handshakes for decrypted HTTPS sessions, we suggest you use any one of the following workarounds:
- Route outbound traffic between two vsys on PanOS firewalls which are capable of that and perform URL Filtering on one and SSL/TLS Decryption on another vsys.
- Add 2 additional Security Zones and route outbound traffic between them to apply both “Decrypt” and “No Decrypt” Decryption policy rules. For example, you configure your NGFW in the way the traffic travels from Inside zone to Internal-DMZ zone with “No Decrypt” applied, then is passed to External-DMZ and travels from External-DMZ to Internet zone with “Decrypt” rule applied. This workaround is described in detail below. Be aware that this configuration may significantly increase load on the firewall.
- Use the additional security device in the traffic chain. The SSL/TLS Decryption and URL-filtering functions should be separated between them (for example the first device is performing URL Filtering, and the second device is performing SSL/TLS Decryption.
We do not recommend disabling SSL/TLS Decryption because it will expose you to much higher risks.
Environment
- PAN-OS < 10.1
Procedure
Details of the suggested workaround (2)
The concept of this workaround is to emulate the second cybersecurity device within PanOS NGFW to implement both “Decrypt” and “No Decrypt” security policy rules to the same part of traffic. The implementation workflow is described below, however based on your configuration, some alterations might be required.
ATTENTION: The described configuration may significantly increase the Firewall load due to doubling the number of active SSL sessions and web-browsing traffic. Consider implementing it to the sensitive data segments only or using PBF (Policy Based Forwarding) to restrict what traffic should be inspected twice.
The following steps are supposed to help you build configuration on your firewall that represents the principle diagram on the scheme below. The following table represents Network Interfaces configuration. The traffic from Inside security zone should pass through Internal DMZ and External DMZ zones, routed by two separated Virtual Routers before it reaches the Internet zone. That allows you to implement a different sets of security rules on each of the traffic path sections (Inside - Internal DMZ and External DMZ - Internet).
| Interface | Type | Security Zone | Virtual Router | Comment |
|---|---|---|---|---|
| Ethernet 1/1 | L3 Egress IP-address | Internet | VR-2 | |
| Ethernet 1/2 | L3 192.168.112.1/24 | External-DMZ | VR-2 | Physical interfaces are connected together with the Ethernet link |
| Ethernet 1/3 | L3 192.168.112.1/24 | Internal-DMZ | VR-1 | |
| Ethernet 1/4 | L3 192.168.42.1/24 | Inside | VR-1 |
STEPS TO IMPLEMENT:
-
Connect two vacant Ethernet interfaces with the physical link. In this description Ethernet 1/2 and Ethernet 1/3 will be used for reference.
-
Configure Ethernet 1/2 and Ethernet 1/3 as Layer 3 type interface (Navigate to Network > Interfaces, choose interface and assign Layer 3 Interface type. Leave other fields as default for now)
-
Create a new Virtual Router. We will refer to this Virtual Router as VR-2 in this guide. Assign to VR-2 interface Ethernet 1/2 and the interface with the link to Internet (Ethernet 1/1 on the diagram). To do the last, you might need to un-assign this interface from the current Virtual Router.
-
Assign the interface Ethernet 1/3 to the Virtual Router with your Inside zone connected. We are referring to this Virtual Router as VR-1 in this guide.
-
Create new Security Zones: External-DMZ and Internal-DMZ and assign them to interfaces Ethernet 1/2 and Ethernet 1/3 respectively.
- Configure interfaces Ethernet 1/2 and Ethernet 1/3 by assigning them IP-addresses from the same network range (in this guide we will use 192.168.112.1/24. So Ethernet 1/2 is configured with IP-address 192.168.112.1/24 and Ethernet 1/3 - with IP-address 192.168.112.2/24). Please refer to the screenshot below.
- Navigate back to Virtual Routers (Network > Virtual Routers) configuration screen. Add Static Route, directing traffic from VR-1 to VR-2:
- On VR-2 you need to add two new static routes, directing traffic to Internal DMZ and directing traffic to Internet:
- You also need to adjust your NAT policy to reflect the changes. For outbound traffic, you need to remove NAT policy from your Inside zone (if you had one) and add it to External-DMZ zone. The example is in the screenshot below
- After committing the configuration, you can observe that two sessions were created for each of outgoing connections, one between Inside and Internal-DMZ and another between External-DMZ and Internet.
- Now you can create two Decryption Policy rules for the outgoing traffic, applying “No Decrypt” action for the traffic between Inside and Internal-DMZ and “Decrypt” for the traffic between External-DMZ and Internet.
- Adjust your Security Policy rules accordingly to reflect the changes. To avoid risk, associated with the discovered exfiltration method, you need to apply URL filtering to the traffic on the both segments Inside > Internal-DMZ and External-DMZ > Internet.