topic Re: URL alerting without SSL decryption in General Topics

URL alerting without SSL decryption

BrendanOConnell — Fri, 27 Apr 2018 20:36:54 GMT

Hello all! I've got a question on URL category alerting. I can set up alerting for malware and phishing categories, for example. I get the alerts if the site is HTTP only. I don't seem to get them if it is HTTPS.

My question is this... Shouldn't the domain names still get flagged for those categories just on the DNS query? Not only that but domain names are not obfuscated in HTTPS traffic. Shouldn't they still be alerting regardless?

We need to alert on sites for our clients who mostly want our device in TAP mode and I'm super confused on this. Thanks in advance for any help you get provide!

Re: URL alerting without SSL decryption

Remo — Thu, 10 May 2018 17:04:17 GMT

Paloalto Firewalls are logging also https URLs (at least the domain name) even without decryption. What does your security policy look like? Do you have the URL filtering profile only applied to a rule where web-browsing is configured but not on ssl traffic?

Re: URL alerting without SSL decryption

reaper — Tue, 15 May 2018 13:27:52 GMT

The DNS query is not directly matched against a http(s) connection as that would require too much correlation in most cases

instead (and this is far more efficient), we do inspect certificate CN or SNI hostname in the handshake for ssl IF the session is matched against a security policy where url filtering is enabled for ssl (provided you are on a PAN-OS that is not older than 6.0)