First, the Client Hello message is scanned for the
Server Name Indication (SNI)
field, a TLS protocol extension that contains the hostname of a requested website.
Then, the URL category and server destination of the traffic is determined from the
hostname. Next, traffic is enforced based on its URL category. If a threat is
detected, such as a malicious web server in the SNI field, or if a Security policy
rule blocks the website, the handshake terminates and the web session ends
immediately. If no threat is detected and the traffic is allowed per policy, the
SSL/TLS handshake is completed and application data is exchanged through the secure
connection.