Enable inspection of SSL/TLS handshakes to categorize
URLs and block and allow sites early on in communication.
The firewall now
inspects the SSL/TLS handshakes of
web traffic marked for decryption to block potential threats as
early as possible. Specifically, the Content and Threat Detection
(CTD) engine on the firewall inspects the Server Name Indication
(SNI) field, an extension to the TLS protocol found in the Client
Hello message. The SNI field contains the hostname for the website
requested by the client. The firewall can use the hostname (if available) to
classify the HTTPS traffic, determine its destination, and enforce
the matching Security policy rules. For example, the firewall blocks
a web session immediately if the domain in the SNI field belongs
to a malicious URL category, provided that you have enabled your
firewalls to decrypt traffic in malicious URL categories, block
malicious domains, and inspect SSL/TLS handshake messages. The inspection
also addresses concerns that malicious actors may exploit fields
in the handshake to evade Security policy and exfiltrate data.
To
take advantage of this capability, you must have an active URL Filtering license,
enable SSL/TLS decryption of web traffic, and block URL categories
in Security policy rules. You must enable this feature in your SSL
decryption settings.