HTTPS URL Filtering without decryption

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

• LIVEcommunity
• Discussions
• General Topics
• HTTPS URL Filtering without decryption

• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Printer Friendly Page

• Mark as New
• Subscribe to RSS Feed
• Permalink
• Print

‎08-28-2018 03:24 AM

I am trying to implement URL Filtering for HTTPS websites but without decryption. I found a post on how to deliver response pages to Users. (https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Serve-a-URL-Response-Page-Over-an. )

The URL Filtering is working for me but I dont understand the flow. What is the Firewall exactly doing?

1. Is forward trust certificate used to read the HTTPS header?

2. We dont have any decryption profiles. Is any kind of decryption happening?

3. The URL Filtering works if the user is using a browser to open an application. But when the user uses an application to access a URL then the connection fails. Any ideas what could be going wrong here?

Thanks and Regards,

• Mark as New
• Subscribe to RSS Feed
• Permalink
• Print

‎08-28-2018 10:29 AM

@rjdahav163 wrote:

1. Is forward trust certificate used to read the HTTPS header?

No, as @OtakarKlier already wrote, the headers are sent in cleartext so the firewall can simply read them without any additional steps. In these headers (->TLS handshake) the client also sends the fqdn where it wants to connect to so the firewall is able to see the URL without decrypting the traffic and apply the configured URL filtering rules.

The forward trust certificate is (in your case without TLS decryption) used to dynamically generate certificates for the domains where the client tries to connect to. This generation the firewall does only for domains that are set to block/continue or for all domains where a response page is required. And this generation is required to properly present this repsonse page to the user as the firewall cannot inject the response page into the http connection without decryption so it has to do it this way.

@rjdahav163 wrote:

2. We dont have any decryption profiles. Is any kind of decryption happening?

No, there is no decryption of actual usertraffic happening.

@rjdahav163 wrote:

3. The URL Filtering works if the user is using a browser to open an application. But when the user uses an application to access a URL then the connection fails. Any ideas what could be going wrong here?

Is the application connecting to an URL that is blocked?