How to Block a Specific HTTPS Site with URL Filtering

by mivaldi on ‎06-10-2014 05:42 PM (51,918 Views)


URL filtering presents some challenges when blocking a specific HTTPS site and, at the same time, allowing everything else under that site.

For example, the requirement is to block "", but allow "".

Using Security Policies and Custom URL Categories will only match the "Issued To" Common Name (CN) on the certificate presented by the site.

Note: With the release of PAN-OS 6.0, there is an additional match through the SNI field, which is presented on the SSL Client "Hello message." For further details refer to: Resolving URL Category in Decryption Policy When Multiple URLs are Behind the Same IP.

The example screenshot below shows the Common Name value as "*".

Screen Shot 2014-06-05 at 4.07.30 PM.png

A security policy can block "*", but that will result in blocking the entire site. Since this is not desired result, a URL Filtering Profile needs to be configured. However, the problem with the URL Filtering Profile, is that the firewall needs to look into the session to be able to pick up the full URL. The session is ssl-encrypted, and the firewall cannot inspect it to apply the URL Filtering unless a decryption policy is enabled on the traffic.

Decryption should be implemented with care. If not already implemented on the firewall, the goal is to configure the decryption to inspect the desired traffic. In a decryption policy, there is an URL category option. Decryption does not know the specific sub-page on the https site required to block, as it works in the same manner as a Security Policy. The Decryption policy will check the "Issued To CN" on the presented Certificate. If it matches the setting under "URL Category", then it will decrypt the SSL session.

This is useful when decrypting traffic only for *, but applying a URL Filter to block only if a user goes to:

Note: "https://" was removed from the above URL.


Follow the steps shown below to configure the desired behavior:

  1. Go to Objects > Custom Objects > URL Category, add a custom URL category named "Example Blacklist". Add as an URL, do not prepend https:// to the URL list.
    Screen Shot 2014-06-05 at 4.18.48 PM.png
  2. Go to Objects > Custom Objects > URL Category, add a custom URL category named "Wildcard Blacklist". Add * to the URL list.
    Screen Shot 2014-06-05 at 4.19.55 PM.png
  3. Go to Objects > Security Profiles > URL Filtering, create an URL Filtering profile named "Blacklisted HTTPS Sites" with "Example Blacklist" Custom URL Category with action *block* (it will be listed on the Block Categories for the URL Filtering profile)
    Screen Shot 2014-06-05 at 4.22.08 PM.png
  4. Go to Policies > Security, add a security policy for trust to untrust traffic named "Deny HTTPS Sites", leave the action to allow, select Profile Settings > Profile Type and select Profiles. Select URL Filtering "Blacklisted HTTPS Sites".
    Screen Shot 2014-06-05 at 4.24.15 PM.pngScreen Shot 2014-06-05 at 4.23.59 PM.png
  5. Go to Device > Certificate Management > Certificates, generate two self-signed CA certificates, one named "Palo Alto Decryption Trusted" and one named "Palo Alto Decryption Untrusted". The CN on the certificates can be the firewall's trusted IP for "Palo Alto Decryption Untrusted", and anything else wanted for "Palo Alto Decryption Trusted" (export this certificate and push it to the users using Group Policy). Open "Palo Alto Decryption Trusted" certificate, mark the checkbox for "Forward Trust Certificate". Open "Palo Alto Decryption Untrusted" certificate, mark the checkbox for "Forward Untrust Certificate".
    Screen Shot 2014-06-05 at 4.28.04 PM.pngScreen Shot 2014-06-05 at 4.28.12 PM.png
  6. Go to Policies > Decryption, add a Decryption Policy named "Decrypt Blacklisted Sites", set source zone trust, destination zone untrust, select URL Category "Wildcard Blacklist", and options Action: Decrypt, Type: SSL Forward Proxy.Screen Shot 2014-06-05 at 4.32.22 PM.png
  7. Commit, will now be blocked.

owner: mivaldi

by ramboza
on ‎08-10-2016 09:15 PM

If it can catch CN from the certificate, why can't it catch SANs as well and match them against the URLs?

by paula.monry
on ‎10-21-2016 08:38 AM

Hello, my English is not very good so hopefully managed to understand my problem. I have a firewall PA 5050 in version 7.0.6, have navigation rules for users during business hours and other for hours "Free" my problem is when when falling into the policy of free navigation and they enter Youtube sail, then returning to the blocking rule and Youtube is not blocked, you need to clear the cache of the laptop to get it locked. I lock through URL filtering and have blocked the streaming category yet also in this list block the URL of youtube. But as I mentioned before, I continue deleting the cache of equipment to work, which is not functional and are more than 200 users I appreciate your help

on ‎10-21-2016 12:00 PM

@paula.monry, I think I understand what is happening. But for something like this, it is recommended that you contact our support (TAC) and see if there is anything that they can do to help resolve your issue.


p.s. I deleted your extra comment you had.

by paula.monry
on ‎10-25-2016 01:07 PM

 @jdelio Thanks for the advice, I actually open a support case with Palo Alto but they have also failed to resolve the situation. Reviewing the error only occurs with Internet Explorer browser and is authorized by the organization.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community