Disable SNI TLS extension check on Azure Firewall
We are getting a lot of "Action: Deny. Reason: SNI TLS extension was missing" on Azure Firewall Log, which causes application failure if client application doesn't support SNI at the time of client hello. Can we add a feature to support Disable SNI check on Firewall manually?
anmol tandon commented
Hi! Any chance you were able to resolve this issue. Were you able to bypass this action rule?
Fernando Simonazzi commented
If the client is not using SNI then application rules cannot be used to allow the packets through. The only chance the application rules have to inspect the packages in a TLS connection to decide if it should be allowed is during the handshake, which is sent in cleartext; after that the packages will be encrypted and the rule evaluation would be "blind". I couldn't find any hard documentation on this, but my guess is that for TLS connections the evaluation extracts the target host name from the SNI extension; if that is missing, the evaluation cannot be done hence the message.
You'll need to use network rules based on the IP address instead.