05-08-2018 09:03 AM
Hi
If I want to use URL Filtering Profile to block a particular "https" website (for ex, youtube.com) do I compulsorily need a decryption profile as well?
This question is partly answered here:
But the example is specific to a sub-URL. I want to know for any HTTPS Website.
Thanks and Regards,
R
05-08-2018 12:39 PM
If traffic is encrypted then all that Palo sees is name on the certificate and it assumes application/website based on that.
For example in case of Google it is *.google.com
In case of SSL traffic HTTP GET goes inside encrypted payload and without decrypting Palo does not see it.
As a result Palo can't distinguish if you go to maps.google.com or www.google.com etc.
Also if you want to block specific Youtube videos you need decryption to see full URL user tries to access.
05-08-2018 04:20 PM
Actually it is possible to have URL filtering configured without TLS decryption, because the client sends the hostname of the website where it wants to connect in the TLS handshake. This part of the connection is not encrypted so Palo is able to filter based on that value.
05-08-2018 10:14 PM
You are right. Palo can use data in SNI that is sent by the client.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
