The firewall now inspects the SSL/TLS handshakes of web traffic marked for decryption to block potential threats as early as possible. Specifically, the Content and Threat Detection (CTD) engine on the firewall inspects the Server Name Indication (SNI) field, an extension to the TLS protocol found in the Client Hello message. The SNI field contains the hostname for the website requested by the client. The firewall can use the hostname (if available) to classify the HTTPS traffic, determine its destination, and enforce the matching Security policy rules. For example, the firewall blocks a web session immediately if the domain in the SNI field belongs to a malicious URL category, provided that you have enabled your firewalls to decrypt traffic in malicious URL categories, block malicious domains, and inspect SSL/TLS handshake messages. The inspection also addresses concerns that malicious actors may exploit fields in the handshake to evade Security policy and exfiltrate data.

To take advantage of this capability, you must have an active URL Filtering license, enable SSL/TLS decryption of web traffic, and block URL categories in Security policy rules. You must enable this feature in your SSL decryption settings.