topic Re: Why can't the firewall present a Response Page on Non-Decrypted SSL Web sites? in General Topics

Why can't the firewall present a Response Page on Non-Decrypted SSL Web sites?

jwolach — Wed, 08 Apr 2015 15:18:04 GMT

I'm trying to understand why users can't get a URL Filtering Response Page when they go to SSL-based Web Sites that are not being decrypted by the firewall.

Thanks,

Jeff

Re: Why can't the firewall present a Response Page on Non-Decrypted SSL Web sites?

cpainchaud — Wed, 08 Apr 2015 16:53:32 GMT

it's the purpose of SSL (encrypted) webpages : no one can mess with the content of your website unless he can do a Man in the Middle to decrypt and listen, even change the content. In order to make a nice error message to user any product in the market needs to replace original content of the webpage with that error message and it's only doable if decryption is done.

when we can't decrypt then we drop traffic.

Re: Why can't the firewall present a Response Page on Non-Decrypted SSL Web sites?

pulukas — Wed, 08 Apr 2015 20:04:39 GMT

URL filtering is done after the session is setup when the http request is made. By this point the session is encrypted including the payload of the url text. So we require decryption in order to read the URL and check the category and apply rules.

Re: Why can't the firewall present a Response Page on Non-Decrypted SSL Web sites?

jwolach — Wed, 08 Apr 2015 20:18:04 GMT

Hi Steven,

Thank you very much for your answer. I understand why we must SSL Decrypt to be able to see the actual HTTP Get Request. What I don't understand is why the firewall doesn't display a URL Response Page for URL Categories that have an action of either Block, Continue or Override for sites that are SSL but not decrypted by the firewall. What does the firewall do (technically) when it is presented a site that is block, continue or override by the URL Filtering Profile in order for it to present a Response Page?

Thanks,

Jeff

Re: Why can't the firewall present a Response Page on Non-Decrypted SSL Web sites?

jthakur — Wed, 08 Apr 2015 22:39:05 GMT

I hope below link may help you.

How to Serve a URL Response Page Over an HTTPS Session Without SSL Decryption

Re: Why can't the firewall present a Response Page on Non-Decrypted SSL Web sites?

jwolach — Wed, 08 Apr 2015 23:20:34 GMT

I already looked at that thread and if you read it closely and implement it, the firewall is actually decrypting the HTTPS sessions. The title is very misleading.

Re: Why can't the firewall present a Response Page on Non-Decrypted SSL Web sites?

jthakur — Wed, 08 Apr 2015 23:58:11 GMT

If you are using Firefox and see message "(Error code: ssl_error_rx_record_too_long) ", then it means firewall has sent the response page however the browser expected the SSL\TLS handshake.

You can take a packet capture on client machine to see what's happening.

Re: Why can't the firewall present a Response Page on Non-Decrypted SSL Web sites?

cpainchaud — Thu, 09 Apr 2015 08:21:02 GMT

I replied in #1 : a block/error message requires the original page to be replaced by error page and doing that cannot be done without decrypting since the original page is inside the encrypted connection.

Re: Why can't the firewall present a Response Page on Non-Decrypted SSL Web sites?

jwolach — Thu, 09 Apr 2015 12:47:20 GMT

Got it! Thank you very much!