can we identify an https web-site category reading certs cn name part as fortigate do ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

can we identify an https web-site category reading certs cn name part as fortigate do ?

L0 Member

hi i asked my question in title of my message i also wonder what is the danger of doing this kind of categorization , why don't we prefer this ?

2 REPLIES 2

L7 Applicator

This is done automatically.

 

If you are not doing SSL decryption, the firewall will use two mechanisms to determine the site category:

  • The client often will send a Server Name extension in their Client Hello, which provides the FQDN of what is being requested. 
  • If running 5.0 or older, or the Server Name extension is not used by the client, the firewall will use the CN for categorization.

Neither is as good as what you get with SSL decryption. When you actually do decryption, the full URI is available for categorization.

 

Using the CN is incomplete, because sites often separate content with subdirectories rather than subdomains. Using the example.com domain, it could look like this:

www.example.com/news

www.example.com/games

www.example.com/adult

 

In each example above, both the Server Name extension and the certificate's Common Name field would read the same: www.example.com.

 

There's no way to determine what the client has actually requested if you can't see the encrypted content, so it is not nearly as accurate as you get when decrypting.

 

-Greg

Hi Greg ,

thaks for the answer , actually i did not interest in identifiying subdomains , paloalto can't block facebook or youtube if they use https, when i block streaming media or social networking becouse it can not read cn from the cert.but fortigate can read this , don't misunderstand please i am not a fan of forti but it seems they can do sometihg easier than us , if they can do why we can not , may be the engineers thougt that there is a security issue about just searching that answer or may be simply we can not do this . also i tested both pan-db and brightcloud many times we are far from being good about url filtering . may be this depends on location in Turkey it is not good enough to identify web-sites .

 

  • 2041 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!