SSL Decryption URL and App Filter

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL Decryption URL and App Filter

L1 Bithead

Hello everyone,

I have to block some URLs and applications as per our company policies. Since we dont have a general rule from the inside zone to the outside (Internet), we are very restrictive in our access to the internet, and since there are some websites and applications that we need explicitly to block no matter what, what I did was create a top policy from inside zone (any IP) to outside zone (any IP) in order to block all the applications and URLs requested. I created a application group including all the applications to be blocked, and I also created a URL category for our blocked URLs, so:

 

1- Can I use in the same policy the app group under application and then add the URL group under service/URL category? I have this doubt since I understand that all the tabs (except the last ACTION tab) for the policy rule are IF conditions, meaning that all of them have to match in order for the rule to apply and THEN deny or allow as per the action option selected. So lets say for example under apps I have youtube, facebook, skype ... and under URL group I have xyz.com, abc.com .... Obviously there is no way that all apps match all URL, but since the IF/THEN logic of teh policy rules Im confused here if this setup is correct.

2- Do I need to enable SSL Decryption????? I know most of the traffic is going to be encrypted, so, How, if there is no SSL decryption, the palo alto is going to be able to look deep in the data flow and inspect what application and URL are actually present in order to determine of block or allow them?????

Thank you!!!

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

For 1. You are correct, all the tabs are matching conditions so mixing URLs with applications is tricky. It is best tom split that up in 2 policies

For 2. Although ssl decryption is preferred for layer7 inspection, the firewall is able to identify many applications and URLs based on the SNI (server name identification) in the ssl certificate

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

For 1. You are correct, all the tabs are matching conditions so mixing URLs with applications is tricky. It is best tom split that up in 2 policies

For 2. Although ssl decryption is preferred for layer7 inspection, the firewall is able to identify many applications and URLs based on the SNI (server name identification) in the ssl certificate

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you for the clarification !!!

I will split the URL and app rule as you said. I also think it is safer.

I was afraid I had to enable SSL decryption to achieve URL app filtering. Since I did not know how the firewall was able to identify the app, so SNI saves the day.

 

Thank you!!

 

  • 1 accepted solution
  • 3327 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!