Categorize HTTPS Website and TLSv1.3

May the 4th (+4)
Roadmap Session and Use Cases for
Cloud Security, SASE, and Email Security

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

Paradigm Shifts: Adventures Unleashed!
Capture Your Adventure for a Chance to WIN!

Join the Photo Contest!

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

Hello Folks,

I am working with a client who has an issue blocking a specific adult categorized website. Security gateway is running R77.30 and management is on R80.10.

While the initial problem was because of an old app db due to which the website used to return as un-categorized. This was fixed, however we started to see that the website was still accessible over HTTPS. Categorize HTTPS websites is enabled (no inspection).

Most of the known adult websites over HTTP or HTTPS is being blocked except this one (letmerjerk.com). When I ran tests on ssllabs, I did see multiple certificates returning (possible SNI too), but from the capture ran on a test setup and client's environment I saw that the server was returning the CN/DN matching the URL (no SNI). Further to this, while using additional TLS filters on Wireshark saw that the website is negotiating over TLSv1.3.

To confirm the behavior, I tried accessing the website using Internet explorer with TLSv1.2 and 1.1 disabled. Firewall blocked it successfully, while when I use Chrome (from version 63 is built to support TLSv1.3) website opens.

I understand HTTPS inspection is the answer, but we are talking about multiple client offices + multiple firewalls which invites additional work. TAC has been involved, but they don't seem be answering my question on this limitation, but its just a pure reply recommending Inspection to be enabled.

Anybody knows if this has been documented/discussed before?