In the past we never succeded to make URL filtering/Appcontrol work as advertised in 77.30 & 80.10, now that we upgraded our vsx to r80.30 we decided to give it a shot.
In our policy we tested everything we could, simple rules with categories, rules with custom application & list of urls, and we are still having matching issues (blocked categories allowed, allowed categories blocked etc)
In R80.30, URL filtering should be using SNI to check the urls, as CN is not reliable as certificats can be shared and not related to the actual websites categories, but that seems not work either,.
Even following the famous white paper that was written for 80.10 that suggested to add those command
fw ctl set int urlf_use_sni_for_categorization 1
fw ctl set int urlf_block_unauthorized_sni 1
Of course our configuration is following the documentation, and HTTPS website categorization options is checked.
in Some cases they are even some silent drops (which i think is a separate) issue
@;6279018;[vs_2];[tid_11];[fw4_11];fw_log_drop_ex: Packet proto=6 188.8.131.52:443 -> 10.160.35.190:50092 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: TLS_PARSER
There is some SK about this error for a special hotfix
TAC support case 7h tshoot couldn't find anything (not even this hotfix.
Any toughts ?