URL alerting without SSL decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

URL alerting without SSL decryption

L1 Bithead

Hello all! I've got a question on URL category alerting. I can set up alerting for malware and phishing categories, for example. I get the alerts if the site is HTTP only. I don't seem to get them if it is HTTPS.

 

My question is this... Shouldn't the domain names still get flagged for those categories just on the DNS query? Not only that but domain names are not obfuscated in HTTPS traffic. Shouldn't they still be alerting regardless?

 

We need to alert on sites for our clients who mostly want our device in TAP mode and I'm super confused on this. Thanks in advance for any help you get provide!

 

 

2 REPLIES 2

L7 Applicator

Paloalto Firewalls are logging also https URLs (at least the domain name) even without decryption. What does your security policy look like? Do you have the URL filtering profile only applied to a rule where web-browsing is configured but not on ssl traffic?

Cyber Elite
Cyber Elite

The DNS query is not directly matched against a http(s) connection as that would require too much correlation in most cases

 

instead (and this is far more efficient), we do inspect certificate CN or SNI hostname in the handshake for ssl IF the session is matched against a security policy where url filtering is enabled for ssl  (provided you are on a PAN-OS that is not older than 6.0)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1905 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!