topic Re: URL Categories and SSL Decryption in General Topics

URL Categories and SSL Decryption

KAckerman12 — Wed, 04 Nov 2020 20:38:52 GMT

I'm having an issue with URL Categories and SSL Decryption. I have two decryption policies; the first is a no-decrypt policy for URL Categories matching "financial-services" and "healthcare-and-medicine," and the second policy is a decrypt-all for service-https. The second rule is working great and decrypting traffic as expected, however, the first rule is not working. If I visit a financial site (discover.com, chase.com, etc) the site is getting decrypted. The log shows the site as matching against "low-risk" instead of "financial-services." This happens for most sites and is not limited to the examples provided. If I visit https://urlfiltering.paloaltonetworks.com/ it shows discover.com gets categorized as financial-services first, then low-risk. What can I do to ensure the firewall categorizes these sites as financial-services instead of low-risk so that they do not get decrypted?

Re: URL Categories and SSL Decryption

MP18 — Wed, 04 Nov 2020 21:09:50 GMT

@KAckerman12

For me it is working fine when i access that website it does not get decrypted.

I also see it categorize as financial first then low risk.

Seems it is by design as per my understanding.

Make sure under decryption policy for financial services under options action is set to no decrypt.

Regards

Re: URL Categories and SSL Decryption

KAckerman12 — Wed, 04 Nov 2020 22:59:31 GMT

The policy was in place with no-decrypt, but that wasn't the issue. I was able to solve this by adding these categories directly to the policy.

The problem occurred when using a custom URL Category object where I added financial-services and health-and-medicine. I then applied the custom object to the no-decrypt policy, but it failed to appropriately reference the custom object, and sites were still being decrypted. Instead of adding the custom object, I added these categories directly to the policy, and since then it has worked fine.

Thank you for the quick response!

Re: URL Categories and SSL Decryption

MP18 — Wed, 04 Nov 2020 23:08:24 GMT

@KAckerman12

I my config i was using these default categories not the custom one.

I never tried custom categories as PA already have those built in so no use of creating custom categories.

I only used custom categories for single urls not for whole url category.

Thanks for updating the community.

Regards

Re: URL Categories and SSL Decryption

BPry — Thu, 05 Nov 2020 02:04:52 GMT

@KAckerman12

That definitely sounds like a bug, and one that I can't duplicate on 9.1.5. What version of PAN-OS are you running currently?

Re: URL Categories and SSL Decryption

KAckerman12 — Thu, 05 Nov 2020 16:39:43 GMT

I should clarify; I didn't create a custom category, but rather created a group for these categories. Objects>Custom Objects>URL Category>Add>Type 'Category Match'. I added these categories into that custom object group, and applied the custom object group to the no-decrypt policy. However, the no-decrypt policy failed to reference the custom category group.

I'm currently using version 9.0.9-h1