URL filtering not blocking the predefined categories when decryption is disabled

URL filtering not blocking the predefined categories when decryption is disabled

1081
Created On 10/29/24 22:23 PM - Last Modified 04/23/26 22:48 PM


Symptom


URL filtering is not blocking malware and adult category websites  in URL filtering policy on user traffic. Traffic is hitting the right policy and test url <url> info is categorizing correctly. Decryption is disabled.

looking at which frame has the SNI, it is the second segment frame 5 of rc.pcap:

$tshark -r rc.pcap -Y "frame contains \"mydomain.ca\""

    5   0.023032 0.000000 10.72.131.65 → 52.35.132.113 TLSv1.2 413 3737619185  Client Hello (SNI=mydomain.ca)
    7   0.055283 0.032251 52.35.132.113 → 184.67.252.58 TLSv1.2 1518 2145339859  Server Hello

 

Environment


PANOS-11.1.2, PA-1410, GP-4.1.8

Cause


PANOS proxy code assumed TLS client hellos would arrive in one packet. Now that Chrome has enabled PQC ciphers by default the client hello will often be too large to fit in one packet.

Resolution


PAN-247099 Introduces Accumulation proxy that can help handle the scenario.
customer  need to upgrade to 11.1.2-h9 to get the fix.

Note: PAN-247099 introduces PAN-226361 and PAN-262287
PAN-226361 and PAN-262287 are fixed in 11.1.2-h14 (Refer to fix versions of PAN-262287 for other fix versions)
Though symptomatically these issue are solved by above bugs, PAN-270549 will introduce the complete fix.

 

Work around:

 disabling PQC kyber on chrome browser will help categorizing the URL filtering profile and categories will get blocked accordingly. It would be difficult to do it for all users.

Additional Information


Accumulation Proxy Trigger Conditions

The accumulation proxy is triggered only when the following conditions are met:

  1. Fragmented Client Hello: The TLS Client Hello message does not arrive in a single TCP segment.

  2. Policy Requirement: At least one of the following policies must be present:

    • URL-Proxy: Must include a URL category match in the security policy. URL-proxy is a feature that serves block pages for HTTPS sites without requiring explicit decryption policies. For more details, refer to this KB article.

    • Decryption Policy: Can be either a forward or inbound decryption policy.

      • Note on Decryption Policies:

        • It does not need to be a URL category-based policy.

        • The specific traffic does not need to match the decryption policy.

        • The traffic itself does not need to be decrypted; the mere action of the firewall evaluating decryption policies is sufficient to trigger the accumulation proxy.

A segmented Client Hello is problematic when customers need only URL categorization but do not have decryption policies or URL proxy enabled.
  • Prior to content update 9087-19265
  • The only solution was to trigger accumulation proxy to reliably categorize URL (in a segmented clienthello scenario)
  • Since the accumulation proxy required either a decryption policy or URL proxy, customers had to use a dummy "no decrypt" policy to activate it.
  • With 9087-19265 content update
  • URL categorization can now occur without needing to forcibly activate the accumulation proxy, eliminating the need for a dummy "no decrypt" policy if SSL decryption is not required.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000PQn7CAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail