Firewalls equipped with Threat Prevention or Advanced Threat Prevention can now detect domain fronting, a TLS evasion technique that can circumvent URL filtering database solutions and facilitate data exfiltration. A malicious user with a crafted packet can indicate a fake website in the SNI while surreptitiously connecting to a different website via the HTTP Host Header. Websites that are expressed using domain fronting are unlikely to be on the allow list for users, as per corporate security policies.

When the domain entry differs between what is presented in the SNI (server name indication) and HTTP payloads, the firewall generates a threat log with a unique threat ID of 86467 (as a Spyware signature). To provide a context for threat assessment purposes, the threat log contains the spoofed SNI domain in the URL/Filename (misc) threat log field, which is expressed as URL in the threat log. A corresponding URL log showing the HTTP host header in the URL field, is also available, which can be found by searching for the matching session ID.