Domain Fronting Detection

Firewalls equipped with Threat Prevention can now detect domain fronting, a TLS evasion technique that can circumvent URL filtering database solutions and facilitate data exfiltration. A malicious user with a crafted packet can indicate a fake website in the SNI while surreptitiously connecting to a different website via the HTTP Host Header. Websites that are expressed using domain fronting are unlikely to be on the allow list for users, as per corporate security policies.
When the domain entry differs between what is presented in the SNI (server name indication) and HTTP payloads, the firewall generates a threat log with a unique threat ID of 86467 (as a Spyware signature). To provide a context for threat assessment purposes, the threat log contains the spoofed SNI domain in the URL/Filename (misc) threat log field, which is expressed as
URL
in the threat log. A corresponding URL log showing the HTTP host header in the
URL
field, is also available, which can be found by searching for the matching session ID.
Enable SSL decryption to detect domain fronting techniques. You must also enable inspection of SSL/TLS handshakes by CTD at
Device
Setup Session
Decryption Settings
SSL Decryption Settings
Send handshake messages to CTD for inspection
. In cases where certain apps are excluded from decryption by default (such as Signal), you must disable Exclude from Decryption for the specific apps under
Device
Certificate Management
SSL Decryption Exclusion
.

Recommended For You