The example screenshot below shows the Common Name value as "*.example.com".
A security policy can block "*.example.com", but that will result in blocking the entire site. Since this is not desired result, a URL Filtering Profile needs to be configured. However, the problem with the URL Filtering Profile, is that the firewall needs to look into the session to be able to pick up the full URL. The session is ssl-encrypted, and the firewall cannot inspect it to apply the URL Filtering unless a decryption policy is enabled on the traffic.
Decryption should be implemented with care. If not already implemented on the firewall, the goal is to configure the decryption to inspect the desired traffic. In a decryption policy, there is an URL category option. Decryption does not know the specific sub-page on the https site required to block, as it works in the same manner as a Security Policy. The Decryption policy will check the "Issued To CN" on the presented Certificate. If it matches the setting under "URL Category", then it will decrypt the SSL session.
This is useful when decrypting traffic only for *.example.com, but applying a URL Filter to block only if a user goes to: public.example.com/extension1/a
Follow the steps shown below to configure the desired behavior:
Go to Objects > Custom Objects > URL Category, add a custom URL category named "Example Blacklist". Add public.example.com/extension1/a as an URL, do not prepend https:// to the URL list.
Go to Objects > Custom Objects > URL Category, add a custom URL category named "Wildcard Blacklist". Add *.example.com to the URL list.
Go to Objects > Security Profiles > URL Filtering, create an URL Filtering profile named "Blacklisted HTTPS Sites" with "Example Blacklist" Custom URL Category with action *block* (it will be listed on the Block Categories for the URL Filtering profile)
Go to Policies > Security, add a security policy for trust to untrust traffic named "Deny HTTPS Sites", leave the action to allow, select Profile Settings > Profile Type and select Profiles. Select URL Filtering "Blacklisted HTTPS Sites".
Go to Device > Certificate Management > Certificates, generate two self-signed CA certificates, one named "Palo Alto Decryption Trusted" and one named "Palo Alto Decryption Untrusted". The CN on the certificates can be the firewall's trusted IP for "Palo Alto Decryption Untrusted", and anything else wanted for "Palo Alto Decryption Trusted" (export this certificate and push it to the users using Group Policy). Open "Palo Alto Decryption Trusted" certificate, mark the checkbox for "Forward Trust Certificate". Open "Palo Alto Decryption Untrusted" certificate, mark the checkbox for "Forward Untrust Certificate".
Go to Policies > Decryption, add a Decryption Policy named "Decrypt Blacklisted Sites", set source zone trust, destination zone untrust, select URL Category "Wildcard Blacklist", and options Action: Decrypt, Type: SSL Forward Proxy.