- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- 5G
- IoT Security
- Prisma SD-WAN
Network Security
- Prisma Access
- Prisma SaaS
- Prisma Cloud
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
- LIVEcommunity
- ›
- Collaboration
- ›
- Discussions
- ›
- General Topics
- ›
- URL Filtering - TLS 1.3 Website
URL Filtering - TLS 1.3 Website
Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
Hi,
I am new to Palo Alto Firewalls and am in the middle of testing some of the functionalities provided. One of which is URL Filtering.
I have been able to clone the default URL Filtering Profile. I then added a website to the blocked list. Then assigned the profile to a security policy. And it worked.
I found this knowledge base article confirming URL for HTTPS is determind by checking certificate:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRZCA0
"For HTTPS traffic, since this protocol is being encrypted, the firewall usually looks at data inside the Server Certificate that is presented to the client during the SSL handshake. In the case of decryption, this traffic will be treated as normal HTTP traffic when it comes to identifying the category."
Why are URLs for TLS 1.3 recognized? With TLS 1.3 (as far as I understand) the certificate itself is not transferred in plain text anymore?
Happy to hear from you guys soon,
Regards Eve
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
Hi @tpmeier
The firewall does not only check the certificate in TLS connections for URL filtering - it also (or primary) uses the SNI extension (server name indication) in a TLS handshake. This extension contains the fqdn in cleartext - als in TLS1.3 connections (even though starting with TLS1.3 it is possible to encrypt this value with additional config steps).
That's the reason why URL filtering still works for a lot of websites that use TLS1.3.
Regards,
Remo
All Replies
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
Hi @tpmeier
The firewall does not only check the certificate in TLS connections for URL filtering - it also (or primary) uses the SNI extension (server name indication) in a TLS handshake. This extension contains the fqdn in cleartext - als in TLS1.3 connections (even though starting with TLS1.3 it is possible to encrypt this value with additional config steps).
That's the reason why URL filtering still works for a lot of websites that use TLS1.3.
Regards,
Remo
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
