How is the URL categorization done when there is no SNI field in the Client Hello

How is the URL categorization done when there is no SNI field in the Client Hello

4086
Created On 04/21/22 08:24 AM - Last Modified 06/04/24 21:22 PM


Question


How is the URL categorization done when there is no SNI field in the Client Hello?

Details:
  • Firewall is configured with Security Policy to bypass decryption for a custom URL category.
  • The firewall receives a client hello that does not include SNI field.
  • Because of the lack of SNI in client hello, the policy cannot be bypassed as session category will not match the actual URL.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • URL categorization

Answer


  1. When the SNI field is not included in the Client Hello, the URL category will be looked up using the IP-address of the server.
  2. This may result in the category not matching the custom URL category.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNenCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail