Details This document describes how to configure the Palo Alto Networks device to serve a URL response page over an HTTPS session without SSL decryption.
Requirements
Create a URL Filtering profile that blocks the unwanted HTTP and HTTPS websites. Create a Security Policy with an action of "allow" and then link the URL Filtering profile to it.
Response pages must be enabled. This cannot be performed on a VWire interface, VWire requires SSL decryption to be able to serve a response page:
Network > Network Profiles > Interface-Mgmt Create an interface management profile with response pages enabled
A certificate to be used for Forward Trust on the Palo Alto Networks device, where it is one of the following:
A self-signed/self-generated certificate with which the box for Certificate Authority has been checked. Note: If using a self-signed/self-generated certificate it will be necessary to import this certificate into the client machine's certificate store to avoid unwanted browser certificate errors.
An intermediate CA certificate installed on the Palo Alto Networks device which was generated by an organization's internal CA.
A certificate to be used for Forward Untrust, which is a self-sign/self-generated certificate with which the box for Certificate Authority has been checked. This certificate is NOT to be trusted by any client that receives it.
If using dynamic URL filtering with BrightCloud, be sure to enable dynamic URL filtering on all URL filtering profiles as well as dynamic URL filtering globally. From the configure mode on the CLI of the device, enter the command listed below. If PAN-DB URL filtering is used, skip this step and proceed for the next step as the command will work only if the firewall is licensed for BrightCloud URL Filtering and not for PAN-DB URL filtering.
# set deviceconfig setting url dynamic-url yes
To enable the Palo Alto Networks device's ability to inject URL filtering response pages within an HTTPS session with the following configuration command. This command works with either BrightCloud or PAN-DB URL filter:
# set deviceconfig setting ssl-decrypt url-proxy yes
Note: Both the commands above are only available through the CLI.
Successful completion of the setup allows the firewall to serve a URL filtering response to client machines within an HTTPS session triggered by the URL Filtering policy.
Caveats with Continue and Override Today's websites server content comes from many sources. If serving a URL Response Page for an action of type Continue or Override, it is possible that some content on the page may not be rendered properly. This will happen if the content is coming from a site that is in a category for which the action is set to Block, Continue or Override. The firewall will not present the Continue and Override page for each embedded link.
Note: After you replace the certificate to renew the expiration date, restart Dataplane or the device. It removes the expired certificate cache in the Dataplane.
Additional Information
Note: In the traffic log, it is normal to see this traffic as being decrypted.