: Domain Fronting Detection
Focus
Focus

Domain Fronting Detection

Table of Contents

Domain Fronting Detection

Firewalls equipped with Threat Prevention can now detect domain fronting, a TLS evasion technique that can circumvent URL filtering database solutions and facilitate data exfiltration. A malicious user with a crafted packet can indicate a fake website in the SNI while surreptitiously connecting to a different website via the HTTP Host Header. Websites that are expressed using domain fronting are unlikely to be on the allow list for users, as per corporate security policies.
When the domain entry differs between what is presented in the SNI (server name indication) and HTTP payloads, the firewall generates a threat log with a unique threat ID of 86467 (as a Spyware signature). To provide a context for threat assessment purposes, the threat log contains the spoofed SNI domain in the URL/Filename (misc) threat log field, which is expressed as URL in the threat log. A corresponding URL log showing the HTTP host header in the URL field, is also available, which can be found by searching for the matching session ID.
Enable SSL decryption to detect domain fronting techniques. You must also enable inspection of SSL/TLS handshakes by CTD at DeviceSetup SessionDecryption SettingsSSL Decryption SettingsSend handshake messages to CTD for inspection. In cases where certain apps are excluded from decryption by default (such as Signal), you must disable Exclude from Decryption for the specific apps under DeviceCertificate ManagementSSL Decryption Exclusion.