https://live.paloaltonetworks.com/t5/general-topics/tls-1-3-encrypted-sni-no-decrypt-url-categories/m-p/364532#M88479 <P>Thank you for the reply!&nbsp; Always good to hear from you.&nbsp; &nbsp;</P><P>&nbsp;</P><P>I'm wondering about the effectiveness of URL categories that are not decrypted on the firewall in a TLS1.3 world.&nbsp; Do they become worthless?</P><P>&nbsp;</P><P>&nbsp;</P><P>Found the below link, but it still doesn't give a lot of info on the tls1.3 encrypted SNI.&nbsp; &nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzlCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzlCAC</A>&nbsp;</P> Fri, 20 Nov 2020 18:08:50 GMT Sec101 2020-11-20T18:08:50Z https://live.paloaltonetworks.com/t5/general-topics/tls-1-3-encrypted-sni-no-decrypt-url-categories/m-p/364238#M88458 <P>In non decrypted tls 1.3 traffic, how is the firewall in 10.0 seeing the URL that a user requests and how is it enforcing that category?&nbsp; I've read that tls1.3 encrypts the SNI field, which from my understanding, is the primary way the palo firewalls read and implement URL categories on non-decrypted traffic.&nbsp; &nbsp;</P><P>&nbsp;</P><P>If we don't decrypt on certain traffic (ex. financial), and that traffic is tls1.3, how is the firewall seeing a destination, other than an IP address, and how is it trying to utilize what it sees to a URL category?</P><P>&nbsp;</P><P>&nbsp;</P><P>I've read below, but still a bit foggy on this, as would this break URL categories period for non-decrypted traffic?</P><P><A href="https://live.paloaltonetworks.com/t5/general-topics/url-filtering-tls-1-3-website/m-p/244821#M69839" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/url-filtering-tls-1-3-website/m-p/244821#M69839</A>&nbsp;</P> Thu, 19 Nov 2020 18:45:20 GMT https://live.paloaltonetworks.com/t5/general-topics/tls-1-3-encrypted-sni-no-decrypt-url-categories/m-p/364238#M88458 Sec101 2020-11-19T18:45:20Z https://live.paloaltonetworks.com/t5/general-topics/tls-1-3-encrypted-sni-no-decrypt-url-categories/m-p/364428#M88468 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/157358">@Sec101</a></P> <P>TLSv1.3&nbsp;<EM>supports&nbsp;</EM>encrypting the SNI field, but there's additional work that needs to be done to do so and a lot of sites aren't doing so at this time. For sites that choose to encrypt the SNI field, I imagine that the traffic is simply decrypted until the firewall can see what the site actually is and then it stops for the remainder of the established session. I could be wrong on that, but that's about as far as you could handle that situation as far as TLSv1.3 with encrypted SNI is concerned. I might have to lab this up this weekend to see exactly how that functions.&nbsp;</P> Fri, 20 Nov 2020 04:58:00 GMT https://live.paloaltonetworks.com/t5/general-topics/tls-1-3-encrypted-sni-no-decrypt-url-categories/m-p/364428#M88468 BPry 2020-11-20T04:58:00Z https://live.paloaltonetworks.com/t5/general-topics/tls-1-3-encrypted-sni-no-decrypt-url-categories/m-p/364532#M88479 <P>Thank you for the reply!&nbsp; Always good to hear from you.&nbsp; &nbsp;</P><P>&nbsp;</P><P>I'm wondering about the effectiveness of URL categories that are not decrypted on the firewall in a TLS1.3 world.&nbsp; Do they become worthless?</P><P>&nbsp;</P><P>&nbsp;</P><P>Found the below link, but it still doesn't give a lot of info on the tls1.3 encrypted SNI.&nbsp; &nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzlCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzlCAC</A>&nbsp;</P> Fri, 20 Nov 2020 18:08:50 GMT https://live.paloaltonetworks.com/t5/general-topics/tls-1-3-encrypted-sni-no-decrypt-url-categories/m-p/364532#M88479 Sec101 2020-11-20T18:08:50Z