03-05-2026 12:10 AM
Hi team
We have received reports from users regarding URL filtering behavior and are investigating whether ECH (Encrypted Client Hello) is the cause. In our environment, we cannot apply SSL decryption, so we rely on inspecting the SNI
in the ssl_client_hello.
In Wireshark captures of the TLS ClientHello, we see the extension “encrypted_client_hello (ECH)”. It appears that Cloudflare allows a generic external SNI and encrypts
the internal SNI, which is where the actual URL to be accessed goes. This makes URL filtering less effective.
Can you confirm this?
1. How ECH affects URL filtering and destination identification in PAN-OS without decryption (official limitations).
2. Whether Palo Alto recommends blocking/mitigating ECH in corporate environments to maintain the effectiveness of URL filtering.
3. What is the supported method for blocking/preventing ECH (e.g., signature to detect ECH in ClientHello, or blocking associated DNS RRs such as HTTPS/SVCB) and how to validate it in logs.
Thank you,
03-06-2026 07:43 AM
Hi @Alpalo ,
To maintain optimal function of the security services of the firewall, Palo Alto Networks recommends blocking all ECH-supporting record types.
Hope this helps,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
