Does the TLS handshake complete when the "Enhanced Handling of SSL/TLS Handshakes for Decrypted Traffic" feature is enabled?

Does the TLS handshake complete when the "Enhanced Handling of SSL/TLS Handshakes for Decrypted Traffic" feature is enabled?

1714
Created On 12/21/22 02:05 AM - Last Modified 10/17/23 02:57 AM


Question


With the Enhanced Handling of SSL/TLS Handshakes for Decrypted Traffic feature enabled, Does the TLS handshake complete between nodes?

Environment


  • Palo Alto Firewalls
  • PAN-OS 10.1, 10.2
  • Enhanced Handling of SSL/TLS handshake for decrypted traffic.

Answer


  1. Yes. The TLS handshake is completed even though "Send handshake messages to CTD for inspection” is enabled.
  2. The firewall doesn’t block the Client Hello message for a web session immediately even if the domain in the SNI field belongs to a malicious URL category.
  3. The firewall blocks a web session just after TLS handshake completed if the domain in the Server Name Indication(SNI) field belongs to a malicious URL category, provided that you have enabled your firewalls to decrypt traffic in malicious URL categories, block malicious domains, and inspect SSL/TLS handshake messages.

Additional Information


PAN-OS 10.1 New Feature Guide: Enhanced Handling of SSL/TLS Handshakes for Decrypted Traffic
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kFltCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail