https://live.paloaltonetworks.com/t5/general-topics/how-to-block-a-specific-https-site-with-url-filtering/m-p/213630#M62129 <P>If traffic is encrypted then all that Palo sees is name on the certificate and it assumes application/website based on that.</P><P>For example in case of Google it is *.google.com</P><P>In case of SSL traffic HTTP GET goes inside encrypted payload and without decrypting Palo does not see it.</P><P>As a result&nbsp;Palo can't distinguish if you go to maps.google.com or <A href="http://www.google.com" target="_blank">www.google.com</A> etc.</P><P>Also if you want to block specific Youtube videos you need decryption to see full URL user tries to access.</P> Tue, 08 May 2018 19:39:28 GMT Raido_Rattameister 2018-05-08T19:39:28Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-a-specific-https-site-with-url-filtering/m-p/213590#M62116 <P>Hi</P><P>&nbsp;</P><P>If I want to use URL Filtering Profile to block a particular "https" website (for ex, youtube.com) do I compulsorily need a decryption profile as well?</P><P>&nbsp;</P><P>This question is partly answered here:</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Block-a-Specific-HTTPS-Site-with-URL-Filtering/ta-p/53840" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Block-a-Specific-HTTPS-Site-with-URL-Filtering/ta-p/53840</A></P><P>&nbsp;</P><P>But the example is specific to a sub-URL. I want to know for any HTTPS Website.</P><P>&nbsp;</P><P>Thanks and Regards,</P><P>R</P> Tue, 08 May 2018 16:03:04 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-a-specific-https-site-with-url-filtering/m-p/213590#M62116 rjdahav163 2018-05-08T16:03:04Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-a-specific-https-site-with-url-filtering/m-p/213630#M62129 <P>If traffic is encrypted then all that Palo sees is name on the certificate and it assumes application/website based on that.</P><P>For example in case of Google it is *.google.com</P><P>In case of SSL traffic HTTP GET goes inside encrypted payload and without decrypting Palo does not see it.</P><P>As a result&nbsp;Palo can't distinguish if you go to maps.google.com or <A href="http://www.google.com" target="_blank">www.google.com</A> etc.</P><P>Also if you want to block specific Youtube videos you need decryption to see full URL user tries to access.</P> Tue, 08 May 2018 19:39:28 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-a-specific-https-site-with-url-filtering/m-p/213630#M62129 Raido_Rattameister 2018-05-08T19:39:28Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-a-specific-https-site-with-url-filtering/m-p/213638#M62132 <P>Actually it is possible to have URL filtering configured without TLS decryption, because the client sends the hostname of the website where it wants to connect in the TLS handshake. This part of the connection is not encrypted so Palo is able to filter based on that value.</P> Tue, 08 May 2018 23:20:20 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-a-specific-https-site-with-url-filtering/m-p/213638#M62132 Remo 2018-05-08T23:20:20Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-a-specific-https-site-with-url-filtering/m-p/213685#M62134 <P>You are right. Palo can use data in SNI that is sent by the client.</P> Wed, 09 May 2018 05:14:24 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-a-specific-https-site-with-url-filtering/m-p/213685#M62134 Raido_Rattameister 2018-05-09T05:14:24Z