Palo Alto URL Filtering and SSL Decryption

Suresh Vina -

In my previous blog posts (linked below), we looked at how to allow or block specific websites using URL filtering. In this post, we'll look into how to use URL filtering with SSL decryption for more granular control.

Palo Alto Allow Access To Certain URLs Matching A Blocked URL Category
If you use URL filtering on your Palo Alto firewalls, you may come across situations where a specific URL category is set to block, but you need to allow certain sites.
PacketswitchSuresh Vina
Palo Alto How to Block Specific URLs?
In this blog post, we’ll explore how to block specific sites using a Palo Alto firewall. There are two ways to achieve this, and we’ll cover both options.
PacketswitchSuresh Vina

Why Do We Need SSL Decryption?

Previously, we saw how to block sites like facebook.com or cnn.com, or allow specific websites blocked by a URL Filtering profile. However, these methods fall short when more granular access is required. Most website traffic today is encrypted with HTTPS, meaning the firewall cannot inspect what's happening within those sessions.

Without SSL decryption, the Palo Alto firewall (or any NGFW) relies on the SNI or CN of the certificate to identify the site. For instance, if you want to allow general 'news' sites but block cnn.com/politics, SSL decryption is necessary. Without decrypting the traffic, the firewall cannot see or control what the user accesses within a website.

💡
Please note that configuring SSL decryption is outside the scope of this blog post. However, I will be writing a dedicated post on how to set up SSL decryption soon, so stay tuned. This post assumes you are already somewhat familiar with configuring SSL decryption.

SSL Decryption Recap

To move forward with our example, let's look at how to block cnn.com/politics (nothing against CNN, this is just for testing, haha) while allowing everything else. To achieve this, we first need to decrypt the traffic. But what exactly should we decrypt?

Decrypting all traffic can lead to unnecessary complications. For this example, I’ll focus on decrypting traffic categorized as 'news.' This way, when a user visits cnn.com, their traffic will be decrypted. As they navigate and click on 'politics,' the firewall can inspect the session and block that specific page.

Create a URL Category

So, first, let’s create a custom URL Category and add the URL we want to block. Navigate to Objects > Custom Objects > URL Category, create a new category, and add the URL *.cnn.com/politics. The wildcard will match URLs like cnn.com/politics or edition.cnn.com/politics.

Next, go to the URL Filtering profile attached to the security policy that permits Internet access and set the action for this category to 'block.'

SSL Decryption Policy

Next, create an SSL Decryption Policy to decrypt traffic categorized as 'news.' If you already have a decryption policy in place, you can skip this step. In this example, I don’t have any existing policy.

Here, you can define the source and destination as needed. Under the URL Category section, select 'news.' This ensures that when a user tries to access any site categorized as 'news' by Palo Alto, the traffic will be decrypted. This includes cnn.com, of course.

Testing and Verification

Now it’s time for testing. Visit cnn.com and then navigate to the 'politics' section to see what happens. As you can see, you can access cnn.com and other subpages, but as soon as you click on 'politics,' the traffic is blocked. Exactly what we wanted!

I also recorded my screen to demonstrate the behaviour in action. You can watch the recording to see how cnn.com is accessible, but navigating to the 'politics' section results in the traffic being blocked.

0:00
/0:11

Closing Up

I hope this shows the benefits of using SSL decryption with URL filtering. As mentioned earlier, I’ll cover SSL decryption in greater detail in an upcoming post. Don’t forget to subscribe so you won’t miss any updates!