Security Policy Match Failure with URL Category and SSL Forward Decryption in PAN-OS 11.2.3

Security Policy Match Failure with URL Category and SSL Forward Decryption in PAN-OS 11.2.3

394
Created On 02/21/25 09:35 AM - Last Modified 10/29/25 23:24 PM


Symptom


  • Traffic not matching the configured URL category with path "<ip address>/finance.html" when using SSL Forward Proxy.
  • When using the SSL Inbound Inspection, the traffic matches the configured URL category <ip address>/finance.html" correctly.
  • The traffic only matches the "<ip address>" when using SSL Forward Proxy.

Environment


  • Palo Alto Firewalls
  • PAN-OS 11.2.3
  • SSL Forward Proxy

Cause


Regression failure in the PAN-OS 11.2.3.

Resolution


  1. This is an addressed issue. See release notes
  2. Upgrade to one the fixed versions (listed below) will resolve the issue.
    • 11.2.6, 
    • 11.2.8,
    • 12.1.2,
    • 12.2.0,
    • 10.2.17,
    • 11.2.4-h7

Additional Information


  • The workaround identified during troubleshooting involved leveraging the SNI field within the URL category.
  • Using the SNI field resolves the matching issue with the URL category, allowing traffic to be appropriately classified.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HF5WCAW&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail