Enhanced Handling of SSL/TLS Handshakes for Decrypted Traffic

Enable inspection of SSL/TLS handshakes to categorize URLs and block and allow sites early on in communication.
The firewall now inspects the SSL/TLS handshakes of web traffic marked for decryption to block potential threats as early as possible. Specifically, the Content and Threat Detection (CTD) engine on the firewall inspects the Server Name Indication (SNI) field, an extension to the TLS protocol found in the Client Hello message. The SNI field contains the hostname for the website requested by the client. The firewall can use the hostname (if available) to classify the HTTPS traffic, determine its destination, and enforce the matching Security policy rules. For example, the firewall blocks a web session immediately if the domain in the SNI field belongs to a malicious URL category, provided that you have enabled your firewalls to decrypt traffic in malicious URL categories, block malicious domains, and inspect SSL/TLS handshake messages. The inspection also addresses concerns that malicious actors may exploit fields in the handshake to evade Security policy and exfiltrate data.
To take advantage of this capability, you must have an active URL Filtering license, enable SSL/TLS decryption of web traffic, and block URL categories in Security policy rules. You must enable this feature in your SSL decryption settings.
  1. Select
    Device > Licenses
    to confirm that you have an active URL Filtering license.
  2. Set up decryption on your web traffic.
  3. Enable inspection of SSL/TLS handshakes by CTD.
    By default, the option is disabled.
    1. Select
      Decryption Settings
      SSL Decryption Settings
    2. Send handshake messages to CTD for inspection
      Alternatively, you can use the
      set deviceconfig setting ssl-decrypt scan-handshake
      CLI command.
  4. Commit your changes.

Recommended For You