Can the firewall apply URL filtering capabilities on HTTPS traffic without enabling decryption?

• Palo Alto Firewall
• Supported PAN-OS
• URL Filtering

• Yes URL Filtering can be applied for HTTPS traffic without the SSL decryption. URL Filtering enforcement will be performed as 'best effort' based on the SNI. 

1. During an SSL session creation the TCP handshake happens followed by the  TLS/SSL handshake.
2. The traffic is encrypted after the TLS/SSL handshake the traffic gets encrypted.
3. In the TLS/SSL handshake, the SNI(Server Name Identification) field  contains the website/domain for which the TLS/SSL handshake is taking place.
4. The firewall will use the SNI field to identify the FQDN and apply the URL filtering profile.
   
   Please Note: URL Filtering enforcement without decryption on HTTPS traffic is mentioned as 'best effort' as the firewall can only inspected and enforce what it can see, which is in this example is the SNI. It will only be able to enforce URL filtering policy based on the SNI versus if there is a more granular category on the full URL:
   Example: SNI is www[.]example[.].com categorized a 'Computers and Internet Info' which you allow, but the URL www[.]example[.]com/social_section/nightlife/index[.]html might be categorized 'personal blogs' which is a category you are blocking due to company policy. 
   
   Without decryption, the firewall will only be able to enforce URL filtering as 'best effort' based on the SNI and it's (the SNI's) category. For maximum URL Filtering enforcement, it is recommended to implement SSL decryption. 

Example (How firewall would determine based on SNI):

• In the below capture, the firewall receives the HTTPS traffic for www.paloaltonetworks.com.
• This FQDN name is mentioned in the TLS/SSL header under the Server Name Identification section. 

Examples of using Wildcards in URL filtering Profiles.