https://live.paloaltonetworks.com/t5/general-topics/url-filtering-tls-1-3-website/m-p/244821#M69839 <P>Hi,</P><P>I am new to Palo Alto Firewalls and am in the middle of testing some of the functionalities provided. One of which is URL Filtering.</P><P>&nbsp;</P><P>I have been able to clone the default URL Filtering Profile. I then added a website to the blocked list. Then assigned the profile to a security policy. And it worked.</P><P>&nbsp;</P><P>I found this knowledge base article confirming URL for HTTPS is determind by checking certificate:</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRZCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRZCA0</A></P><P>"For HTTPS traffic, since this protocol is being encrypted, the firewall usually looks at data inside the Server Certificate that is presented to the client during the SSL handshake. In the case of decryption, this traffic will be treated as normal HTTP traffic when it comes to identifying the category."</P><P>&nbsp;</P><P>Why are URLs for TLS 1.3 recognized? With TLS 1.3&nbsp; (as far as I understand) the certificate itself is not transferred in plain text anymore?</P><P>&nbsp;</P><P>Happy to hear from you guys soon,<BR />Regards Eve</P><P>&nbsp;</P> Fri, 04 Jan 2019 13:59:43 GMT tpmeier 2019-01-04T13:59:43Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering-tls-1-3-website/m-p/244821#M69839 <P>Hi,</P><P>I am new to Palo Alto Firewalls and am in the middle of testing some of the functionalities provided. One of which is URL Filtering.</P><P>&nbsp;</P><P>I have been able to clone the default URL Filtering Profile. I then added a website to the blocked list. Then assigned the profile to a security policy. And it worked.</P><P>&nbsp;</P><P>I found this knowledge base article confirming URL for HTTPS is determind by checking certificate:</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRZCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRZCA0</A></P><P>"For HTTPS traffic, since this protocol is being encrypted, the firewall usually looks at data inside the Server Certificate that is presented to the client during the SSL handshake. In the case of decryption, this traffic will be treated as normal HTTP traffic when it comes to identifying the category."</P><P>&nbsp;</P><P>Why are URLs for TLS 1.3 recognized? With TLS 1.3&nbsp; (as far as I understand) the certificate itself is not transferred in plain text anymore?</P><P>&nbsp;</P><P>Happy to hear from you guys soon,<BR />Regards Eve</P><P>&nbsp;</P> Fri, 04 Jan 2019 13:59:43 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering-tls-1-3-website/m-p/244821#M69839 tpmeier 2019-01-04T13:59:43Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering-tls-1-3-website/m-p/244931#M69855 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/99633">@tpmeier</a></P><P>&nbsp;</P><P>The firewall does not only check the certificate in TLS connections for URL filtering - it also (or primary) uses the SNI extension (server name indication) in a TLS handshake. This extension contains the fqdn in cleartext - als in TLS1.3 connections (even though starting with TLS1.3 it is possible to encrypt this value with additional config steps).</P><P>That's the reason why URL filtering still works for a lot of websites that use TLS1.3.</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P> Fri, 04 Jan 2019 18:32:54 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering-tls-1-3-website/m-p/244931#M69855 Remo 2019-01-04T18:32:54Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering-tls-1-3-website/m-p/531657#M109645 <P>Vsys_remo is correct. Here are the three relevant points from this kb with title "<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PObsCAG&amp;lang=en_US%E2%80%A9&amp;refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail" target="_self">HOW TO IDENTIFY URL INFORMATION ON SSL TRAFFIC WITHOUT DECRYPTION</A>":</P> <P>&nbsp;</P> <UL> <LI>The SNI is used for URL categorization when SSL decryption is not enabled.</LI> <LI>If the client does not send the SNI, then the &nbsp;Common Name (CN) which represents the server name protected by the SSL certificate &nbsp;is used for URL categorization.</LI> <LI>Putting the hostname of the web server in the allow or block list of a URL filtering profile will essentially accomplish the same goal as using the CN to enforce policy.</LI> </UL> Sun, 19 Feb 2023 12:39:45 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering-tls-1-3-website/m-p/531657#M109645 RizwanJamil 2023-02-19T12:39:45Z