This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

can we identify an https web-site category reading certs cn name part as fortigate do ?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

can we identify an https web-site category reading certs cn name part as fortigate do ?

Yavuz_Ozdemir
L0 Member

‎09-09-2015 01:27 PM

hi i asked my question in title of my message i also wonder what is the danger of doing this kind of categorization , why don't we prefer this ?

0 Likes Likes
2 REPLIES 2

gwesson
L7 Applicator

‎09-09-2015 03:36 PM

This is done automatically.

 

If you are not doing SSL decryption, the firewall will use two mechanisms to determine the site category:

  • The client often will send a Server Name extension in their Client Hello, which provides the FQDN of what is being requested. 
  • If running 5.0 or older, or the Server Name extension is not used by the client, the firewall will use the CN for categorization.

Neither is as good as what you get with SSL decryption. When you actually do decryption, the full URI is available for categorization.

 

Using the CN is incomplete, because sites often separate content with subdirectories rather than subdomains. Using the example.com domain, it could look like this:

www.example.com/news

www.example.com/games

www.example.com/adult

 

In each example above, both the Server Name extension and the certificate's Common Name field would read the same: www.example.com.

 

There's no way to determine what the client has actually requested if you can't see the encrypted content, so it is not nearly as accurate as you get when decrypting.

 

-Greg

0 Likes Likes

MyTechnic
L0 Member
In response to gwesson

‎09-17-2015 01:32 AM

Hi Greg ,

thaks for the answer , actually i did not interest in identifiying subdomains , paloalto can't block facebook or youtube if they use https, when i block streaming media or social networking becouse it can not read cn from the cert.but fortigate can read this , don't misunderstand please i am not a fan of forti but it seems they can do sometihg easier than us , if they can do why we can not , may be the engineers thougt that there is a security issue about just searching that answer or may be simply we can not do this . also i tested both pan-db and brightcloud many times we are far from being good about url filtering . may be this depends on location in Turkey it is not good enough to identify web-sites .

 

0 Likes Likes
  • 1869 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks