Can I use Web Filter to block HTTPS/SSL sites?

Yes! However, filtering is not as granular as when using the SSL Inspector app.

When a website is accessed via HTTPS most of the content is encrypted, so the NGFW cannot view this data or filter by it. There is one portion that is not encrypted, which is the Server Name Indication (SNI). SNI is an extension of the TLS networking protocol that indicates which hostname (domain) the client is attempting to access. Using this information, NGFW can then filter web traffic.

The drawback is that NGFW cannot see the entire URL; only the domain. For that reason NGFW loses granularity in the filtering of that traffic. All traffic to a domain is treated the same, regardless of content.

The SNI settings on NGFW can be found under Web Filter > the Advanced tab. These settings are enabled by default.


Was this article helpful?
0 out of 3 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk