I'm having an issue with URL Categories and SSL Decryption. I have two decryption policies; the first is a no-decrypt policy for URL Categories matching "financial-services" and "healthcare-and-medicine," and the second policy is a decrypt-all for service-https. The second rule is working great and decrypting traffic as expected, however, the first rule is not working. If I visit a financial site (discover.com, chase.com, etc) the site is getting decrypted. The log shows the site as matching against "low-risk" instead of "financial-services." This happens for most sites and is not limited to the examples provided. If I visit https://urlfiltering.paloaltonetworks.com/ it shows discover.com gets categorized as financial-services first, then low-risk. What can I do to ensure the firewall categorizes these sites as financial-services instead of low-risk so that they do not get decrypted?
For me it is working fine when i access that website it does not get decrypted.
I also see it categorize as financial first then low risk.
Seems it is by design as per my understanding.
Make sure under decryption policy for financial services under options action is set to no decrypt.
The policy was in place with no-decrypt, but that wasn't the issue. I was able to solve this by adding these categories directly to the policy.
The problem occurred when using a custom URL Category object where I added financial-services and health-and-medicine. I then applied the custom object to the no-decrypt policy, but it failed to appropriately reference the custom object, and sites were still being decrypted. Instead of adding the custom object, I added these categories directly to the policy, and since then it has worked fine.
Thank you for the quick response!
I my config i was using these default categories not the custom one.
I never tried custom categories as PA already have those built in so no use of creating custom categories.
I only used custom categories for single urls not for whole url category.
Thanks for updating the community.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!