topic Re: missing block-url response page in General Topics

missing block-url response page

errevisystem — Mon, 03 Jun 2013 15:28:15 GMT

Hi all,

I have a very common security rule permitting all traffic in for 80, 8080 and 443 ports, no matter the application

The attached URL security profile denies all url categories except for one (custom).

Now I've noticed not to be able to get the expected block page each time a try to access a web site, specifically I can obtain the response page only when the detected application is "web-browsing" but not, i.e, when it's ssl, facebook, gmail etc.

So when I go to:

gmail.com

www.microsoft.com

facebook.com

etc

I get the block page.

While when i try with:

https://facebook.com

https://gmail.com

https://kb.bluecoat.com

I just get the browser error page but NO block page.

This is the TRAFFIC log

while this is the URL log

as you can see there's no match for anything else than port 80.

So I've tried to setup an ssl decryption policy

tha shoulfd catch anything for that source ip address, but nothing changes, I keep on getting a block page only when traffic is web-browsing but as you might understand is quite boring for users, whose resulting experience having the page not showing but without knowing the reason....

Is this the expected behaviour?

thanks

Manuel

Re: missing block-url response page

VinceM — Mon, 03 Jun 2013 15:33:47 GMT

Hi,

Know that in some version, there is a bug wich not allow to send reponse page if tarffic is https.

What is your version ?

Try to upgrade to last one either 5.0.5 or 4.1.12

Re: missing block-url response page

errevisystem — Mon, 03 Jun 2013 15:34:19 GMT

I forgot, my PANOS version is 5.0.4.

Don't know if this bug could somehow be related:

46649

When denying a web session with a response page, the firewall did not perform a

proper close for the TCP connection, causing the client to remain half open.

but theoretically it should have been solved starting with 5.0.4...

Re: missing block-url response page

Retired Member — Mon, 03 Jun 2013 17:16:08 GMT

I replicated this with 5.0.4

When we don't use ssl decryption no page comes.(web page cannot be displayed)

When we use ssl decryption we see block page.

Re: missing block-url response page

emr_1 — Wed, 05 Jun 2013 13:07:56 GMT

By default, you can't display block response page with HTTPS websites.

There are two ways to show it.

One is to use ssl-decryption rule, another is to enable url-proxy.

For url-proxy in detail, please refer to How to Configure the Palo Alto Networks Device to Serve a URL Response page Over an HTTPS Session without SSL Decryption

On my PA-200 with 5.0.5 works fine by url-proxy and no decryption rules.

Regards,

Re: missing block-url response page

errevisystem — Wed, 05 Jun 2013 15:53:57 GMT

Hi emr,

I had tried before with ssl-decryption (see my previous post) and right now with the method according to your link, I found it very useful and in my opinion that should be the default behaviour, I wonder why it's not.

Unfortunately In both cases I cannot get any block page...

Re: missing block-url response page

errevisystem — Wed, 05 Jun 2013 16:22:49 GMT

Update: just retried with another platform 5.0.5 and got it working enabling ssl-decrypt url-proxy yes