04-27-2018 01:36 PM
Hello all! I've got a question on URL category alerting. I can set up alerting for malware and phishing categories, for example. I get the alerts if the site is HTTP only. I don't seem to get them if it is HTTPS.
My question is this... Shouldn't the domain names still get flagged for those categories just on the DNS query? Not only that but domain names are not obfuscated in HTTPS traffic. Shouldn't they still be alerting regardless?
We need to alert on sites for our clients who mostly want our device in TAP mode and I'm super confused on this. Thanks in advance for any help you get provide!
05-10-2018 10:04 AM
Paloalto Firewalls are logging also https URLs (at least the domain name) even without decryption. What does your security policy look like? Do you have the URL filtering profile only applied to a rule where web-browsing is configured but not on ssl traffic?
05-15-2018 06:27 AM
The DNS query is not directly matched against a http(s) connection as that would require too much correlation in most cases
instead (and this is far more efficient), we do inspect certificate CN or SNI hostname in the handshake for ssl IF the session is matched against a security policy where url filtering is enabled for ssl (provided you are on a PAN-OS that is not older than 6.0)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
