11-04-2020 12:38 PM
I'm having an issue with URL Categories and SSL Decryption. I have two decryption policies; the first is a no-decrypt policy for URL Categories matching "financial-services" and "healthcare-and-medicine," and the second policy is a decrypt-all for service-https. The second rule is working great and decrypting traffic as expected, however, the first rule is not working. If I visit a financial site (discover.com, chase.com, etc) the site is getting decrypted. The log shows the site as matching against "low-risk" instead of "financial-services." This happens for most sites and is not limited to the examples provided. If I visit https://urlfiltering.paloaltonetworks.com/ it shows discover.com gets categorized as financial-services first, then low-risk. What can I do to ensure the firewall categorizes these sites as financial-services instead of low-risk so that they do not get decrypted?
11-04-2020 01:04 PM - edited 11-04-2020 01:09 PM
For me it is working fine when i access that website it does not get decrypted.
I also see it categorize as financial first then low risk.
Seems it is by design as per my understanding.
Make sure under decryption policy for financial services under options action is set to no decrypt.
Regards
11-04-2020 02:59 PM
The policy was in place with no-decrypt, but that wasn't the issue. I was able to solve this by adding these categories directly to the policy.
The problem occurred when using a custom URL Category object where I added financial-services and health-and-medicine. I then applied the custom object to the no-decrypt policy, but it failed to appropriately reference the custom object, and sites were still being decrypted. Instead of adding the custom object, I added these categories directly to the policy, and since then it has worked fine.
Thank you for the quick response!
11-04-2020 03:08 PM
I my config i was using these default categories not the custom one.
I never tried custom categories as PA already have those built in so no use of creating custom categories.
I only used custom categories for single urls not for whole url category.
Thanks for updating the community.
Regards
11-04-2020 06:04 PM
That definitely sounds like a bug, and one that I can't duplicate on 9.1.5. What version of PAN-OS are you running currently?
11-05-2020 08:38 AM - edited 11-05-2020 08:39 AM
I should clarify; I didn't create a custom category, but rather created a group for these categories. Objects>Custom Objects>URL Category>Add>Type 'Category Match'. I added these categories into that custom object group, and applied the custom object group to the no-decrypt policy. However, the no-decrypt policy failed to reference the custom category group.
I'm currently using version 9.0.9-h1
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
