Inspect SSL/TLS Handshakes
Focus
Focus
Advanced URL Filtering

Inspect SSL/TLS Handshakes

Table of Contents

Inspect SSL/TLS Handshakes

Enable the firewall to inspect decrypted SSL/TLS traffic for threats during SSL/TLS handshakes.
Where can I use this?
What do I need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS or Panorama Managed)
Notes:
  • Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
  • Prisma Access
    usually include
    Advanced URL Filtering
    capabilities.
Examining SSL/TLS handshakes improves network security and optimizes legacy and Advanced URL Filtering subscriptions. When you enable SSL/TLS handshake inspection, Advanced URL Filtering uses data in the handshake to identify the traffic and enforce applicable Security policy rules as early as possible.
Here’s how it works
First, the Client Hello message is scanned for the Server Name Indication (SNI) field, a TLS protocol extension that contains the hostname of a requested website. Then, the URL category and server destination of the traffic is determined from the hostname. Next, traffic is enforced based on its URL category. If a threat is detected, such as a malicious web server in the SNI field, or if a Security policy rule blocks the website, the handshake terminates and the web session ends immediately. If no threat is detected and the traffic is allowed per policy, the SSL/TLS handshake is completed and application data is exchanged through the secure connection.
URL filtering response pages do not display for sites blocked during SSL/TLS handshake inspections because the firewall resets the HTTPS connection. The connection reset ends SSL/TLS handshakes and prevents user notification by response page. The browser displays a standard connection error message instead.
You can find details of successful SSL/TLS handshakes and sessions in the Traffic and Decryption logs. Details of failed sessions can be found in URL filtering logs; Decryption logs aren’t generated for web sessions blocked during SSL/TLS handshakes.

Cloud Managed

If you’re using Panorama to manage
Prisma Access
:
Toggle over to the
PAN-OS & Panorama
tab and follow the guidance there.
If you’re using
Strata Cloud Manager
, continue here.
A requirement of inspecting SSL handshakes is that you decrypt SSL/TLS traffic through either SSL Forward Proxy or SSL Inbound Inspection.
  1. Confirm that your
    Prisma Access
    license includes an Advanced URL Filtering subscription.
    1. Select
      Manage
      Service Setup
      Overview
      and click on the hyperlinked Quantity value. Information including Security Services appears.
    2. Under Security Services, confirm that a checkmark is next to URL Filtering.
  2. Verify that you decrypt SSL/TLS traffic through either SSL Forward Proxy or SSL Inbound Inspection.
  3. Enable inspection of SSL/TLS handshakes by CTD. By default, this option is disabled.
    1. Select
      Manage
      Configuration
      Security Services
      Decryption
      .
    2. By Decryption Settings, select the settings icon. Then, select
      Inspect TLS Handshake Messages
      .
      Alternatively, you can use the
      set deviceconfig setting ssl-decrypt scan-handshake
      <yes|no>
      CLI command.
    3. Save
      your changes. Under Decryption Settings, the Inspect TLS handshake message setting should say Enabled.
  4. Push Config
    to save and commit your changes.

PAN-OS & Panorama

  1. Select
    Device > Licenses
    to confirm that you have an active Advanced URL Filtering or legacy URL Filtering license.
  2. Verify that you decrypt SSL/TLS traffic through either SSL Forward Proxy or SSL Inbound Inspection.
  3. Enable inspection of SSL/TLS handshakes by CTD. By default, the option is disabled.
    1. Select
      Device
      Setup
      Session
      Decryption Settings
      SSL Decryption Settings
      .
    2. Select
      Send handshake messages to CTD for inspection
      .
      Alternatively, you can use the
      set deviceconfig setting ssl-decrypt scan-handshake
      <yes|no>
      CLI command.
    3. Click
      OK
      .
  4. Commit
    your configuration changes.

Recommended For You