Enhanced Handling of SSL/TLS Handshakes for Decrypted Traffic
Enable inspection of SSL/TLS handshakes to categorize
URLs and block and allow sites early on in communication.
The firewall now inspects the SSL/TLS handshakes of
web traffic marked for decryption to block potential threats as
early as possible. Specifically, the Content and Threat Detection
(CTD) engine on the firewall inspects the Server Name Indication
(SNI) field, an extension to the TLS protocol found in the Client Hello
message. The SNI field contains the hostname for the website requested
by the client. The firewall can use the hostname (if available)
to classify the HTTPS traffic, determine its destination, and enforce
the matching Security policy rules. For example, the firewall blocks
a web session immediately if the domain in the SNI field belongs
to a malicious URL category, provided that you have enabled your
firewalls to decrypt traffic in malicious URL categories, block
malicious domains, and inspect SSL/TLS handshake messages. The inspection
also addresses concerns that malicious actors may exploit fields
in the handshake to evade Security policy and exfiltrate data.
take advantage of this capability, you must have an active URL Filtering
license, enable SSL/TLS decryption of web traffic, and block URL
categories in Security policy rules. You must enable this feature
in your SSL decryption settings.