topic Re: Issue with URL Category in General Topics

Issue with URL Category

AlertsUser — Fri, 14 Dec 2018 15:38:09 GMT

We have just setup SSL decryption and added custom response pages on our firewall. We have a custom filter for shopping sites and the category is set to alert, if a user is a member of an AD group associated with this filter it works fine. We decided in our fall back filter to set the category to continue which would display a message and allow the user to click continue to the site. The problem is any shopping site visited the user gets a generic page cannot be displayed in their browser, decryption is disabled for the shopping category but cannot determine why this is failing when other categories which are set to continue seem to work ok. Any one have any ideas why this one category is not working correctly?

Re: Issue with URL Category

Raido_Rattameister — Fri, 14 Dec 2018 16:00:39 GMT

Issue is that if traffic is HTTP then it goes like this.

SYN

SYN ACK

ACK

HTTP GET

Response containing website (Palo can intercept and send back continue page)

In case on HTTPS

SYN

SYN ACK

ACK

Client Hello

Server Hello

Server Certificate

HTTP GET (encrypted)

Response containing website (encrypted, Palo can't see this and cannot intercept)

Re: Issue with URL Category

AlertsUser — Fri, 14 Dec 2018 16:33:04 GMT

Yep of course seeing your explaination makes it clear, if the site is not decrypted then the firewall does not known what category the website is under and therefore does not display the response page, thanks.

Re: Issue with URL Category

Raido_Rattameister — Fri, 14 Dec 2018 17:03:23 GMT

It still knows because it can read domain and SNI information from the certificate but it can't see exact url visited.

For example Google services use *.google.com

So you don't know if user went to search, maps or some other service.

Re: Issue with URL Category

MP18 — Fri, 14 Dec 2018 19:14:19 GMT

Great info Raido