https://live.paloaltonetworks.com/t5/general-topics/question-about-ech-and-its-effect-on-url-filtering-without/m-p/1249620#M126110 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192671">@Alpalo</a>&nbsp;,</P> <P>&nbsp;</P> <P><SPAN>To maintain optimal function of the security services of the firewall, Palo Alto Networks recommends blocking all ECH-supporting record types.<BR /></SPAN></P> <P>&nbsp;</P> <P>Source:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/content-inspection-features/dns-security-support-for-dns-over-https" target="_blank">https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/content-inspection-features/dns-security-support-for-dns-over-https</A></P> <P>&nbsp;</P> <P>Hope this helps,</P> Fri, 06 Mar 2026 15:43:33 GMT kiwi 2026-03-06T15:43:33Z https://live.paloaltonetworks.com/t5/general-topics/question-about-ech-and-its-effect-on-url-filtering-without/m-p/1249533#M126102 <P>Hi team</P> <P>We have received reports from users regarding URL filtering behavior and are investigating whether ECH (Encrypted Client Hello) is the cause. In our environment, we cannot apply SSL decryption, so we rely on inspecting the SNI<BR />in the ssl_client_hello.</P> <P>In Wireshark captures of the TLS ClientHello, we see the extension “encrypted_client_hello (ECH)”. It appears that Cloudflare allows a generic external SNI and encrypts<BR />the internal SNI, which is where the actual URL to be accessed goes. This makes URL filtering less effective.</P> <P>Can you confirm this?</P> <P>1. How ECH affects URL filtering and destination identification in PAN-OS without decryption (official limitations).<BR />2. Whether Palo Alto recommends blocking/mitigating ECH in corporate environments to maintain the effectiveness of URL filtering.<BR />3. What is the supported method for blocking/preventing ECH (e.g., signature to detect ECH in ClientHello, or blocking associated DNS RRs such as HTTPS/SVCB) and how to validate it in logs.</P> <P>Thank you,</P> <P>&nbsp;</P> Thu, 05 Mar 2026 08:10:41 GMT https://live.paloaltonetworks.com/t5/general-topics/question-about-ech-and-its-effect-on-url-filtering-without/m-p/1249533#M126102 Alpalo 2026-03-05T08:10:41Z https://live.paloaltonetworks.com/t5/general-topics/question-about-ech-and-its-effect-on-url-filtering-without/m-p/1249620#M126110 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192671">@Alpalo</a>&nbsp;,</P> <P>&nbsp;</P> <P><SPAN>To maintain optimal function of the security services of the firewall, Palo Alto Networks recommends blocking all ECH-supporting record types.<BR /></SPAN></P> <P>&nbsp;</P> <P>Source:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/content-inspection-features/dns-security-support-for-dns-over-https" target="_blank">https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/content-inspection-features/dns-security-support-for-dns-over-https</A></P> <P>&nbsp;</P> <P>Hope this helps,</P> Fri, 06 Mar 2026 15:43:33 GMT https://live.paloaltonetworks.com/t5/general-topics/question-about-ech-and-its-effect-on-url-filtering-without/m-p/1249620#M126110 kiwi 2026-03-06T15:43:33Z