About RizwanJamil

Vsys_remo is correct. Here are the three relevant points from this kb with title "HOW TO IDENTIFY URL INFORMATION ON SSL TRAFFIC WITHOUT DECRYPTION":   The SNI is used for URL categorization when SSL decryption is not enabled. If the client does not send the SNI, then the  Common Name (CN) which represents the server name protected by the SSL certificate  is used for URL categorization. Putting the hostname of the web server in the allow or block list of a URL filtering profile will essentially accomplish the same goal as using the CN to enforce policy. ... View more

@Chacko42 please also note that I don't have URL filtering or SSL inspection enabled. So firewall is relying solely on the SNI information contained in the packet which is exactly the same as the one configured in the allow rule, however the firewall is still unable to match one with the other. ... View more

The FQDN refresh interval can now be reduced to even 1 second, starting from PANOS 9.0.   The range (in seconds) is now:  <0-14399>   ... View more

Hi @Chacko42 ,   I have observed Palo Alto PANOS 10.2.1 dropping the traffic even when it sees the same domain in the SNI field of the Client Hello packet, that is configured in the security policy allow rule, under URL Category field. And thus the website does not open at client's end. It is still unclear as to why the firewall is not able to match the two exactly same domains.   Please note that it is different from seeing in your browser "Your connection is not private" kind of message. In such case, the problem is that the SSL certificate offered by the server in response to the Client Hello packet, does not  match the name of the domain initially requested by the client. While, my scenario is different, where the website does not open at the first place and we see the traffic blocked by the interzone-default rule of Palo Alto firewall.   Any idea why does it happen? ... View more