URL Categories and SSL Decryption

Reply
Highlighted
L1 Bithead

URL Categories and SSL Decryption

I'm having an issue with URL Categories and SSL Decryption. I have two decryption policies; the first is a no-decrypt policy for URL Categories matching "financial-services" and "healthcare-and-medicine," and the second policy is a decrypt-all for service-https. The second rule is working great and decrypting traffic as expected, however, the first rule is not working. If I visit a financial site (discover.com, chase.com, etc) the site is getting decrypted. The log shows the site as matching against "low-risk" instead of "financial-services." This happens for most sites and is not limited to the examples provided.  If I visit https://urlfiltering.paloaltonetworks.com/ it shows discover.com gets categorized as financial-services first, then low-risk. What can I do to ensure the firewall categorizes these sites as financial-services instead of low-risk so that they do not get decrypted?

Highlighted
Cyber Elite

@KAckerman12 

For me it is working fine when i access that website it does not get decrypted.

I also see it categorize as financial first then low risk.

Seems it is by design as per my understanding.

Make sure under decryption policy for financial services under options action is set to no decrypt.

 

Regards

 

MP
Highlighted
L1 Bithead

The policy was in place with no-decrypt, but that wasn't the issue. I was able to solve this by adding these categories directly to the policy.

The problem occurred when using a custom URL Category object where I added financial-services and health-and-medicine. I then applied the custom object to the no-decrypt policy, but it failed to appropriately reference the custom object, and sites were still being decrypted.  Instead of adding the custom object, I added these categories directly to the policy, and since then it has worked fine. 

Thank you for the quick response!

Highlighted
Cyber Elite

@KAckerman12 

I my config i was using these default categories not the custom one.

I never tried custom categories as PA already have those built in so no use of creating custom categories.

 

I only used custom categories for single urls not for whole url category.

Thanks for updating the community.

 

Regards

MP
Highlighted
Cyber Elite

@KAckerman12 

That definitely sounds like a bug, and one that I can't duplicate on 9.1.5. What version of PAN-OS are you running currently? 

Highlighted
L1 Bithead

I should clarify; I didn't create a custom category, but rather created a group for these categories. Objects>Custom Objects>URL Category>Add>Type 'Category Match'.  I added these categories into that custom object group, and applied the custom object group to the no-decrypt policy. However, the no-decrypt policy failed to reference the custom category group. 

I'm currently using version 9.0.9-h1

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!