https://live.paloaltonetworks.com/t5/general-topics/blocking-page-for-https-traffic/m-p/27177#M19825 <HTML><HEAD></HEAD><BODY><P>Hi Hulk,</P><P></P><P>thx for your answer. Will test that as faster as possible <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>cheers.</P><P></P><P>v.</P></BODY></HTML> Tue, 03 Jun 2014 07:42:20 GMT VinceM 2014-06-03T07:42:20Z https://live.paloaltonetworks.com/t5/general-topics/blocking-page-for-https-traffic/m-p/27175#M19823 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>We are currently on PA-2050 in version 5.0.9.</P><P>Creating Web secur profile for test categorie (with PAn-DB).</P><P>If trying to access blocked page in http =&gt; block page (NICE !!)</P><P>If trying to access blocked page in https =&gt; Page "session has been reste" - default browser block page.</P><P></P><P>Would like to have the palo block page everytime.</P><P>Can you help me to configure that ?</P><P></P><P>Thx in advance.</P><P></P><P>V.</P></BODY></HTML> Mon, 02 Jun 2014 15:03:41 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-page-for-https-traffic/m-p/27175#M19823 VinceM 2014-06-02T15:03:41Z https://live.paloaltonetworks.com/t5/general-topics/blocking-page-for-https-traffic/m-p/27176#M19824 <HTML><HEAD></HEAD><BODY><P>Could you please confirm that Decryption policy is configured on the PAN FW or not, if not, then you have to configure:</P><P></P><UL><LI>A certificate on the PAN Device. One of the following:<UL style="font-weight: inherit; font-style: inherit; font-family: inherit;"><LI style="margin-top: 0.5ex; margin-bottom: 0.5ex; font-weight: inherit; font-style: inherit; font-family: inherit; list-style-type: inherit;">A self-signed/self-generated certificate which is a CA certificate configured for Forward Trust / Forward Untrust use (as relevant to deployment requirements)<BR /><STRONG style="font-style: inherit; font-family: inherit;">Note:</STRONG> if using a self-signed/<SPAN class="GINGER_SOFTWARE_mark">sef</SPAN>-generated certificate it will be necessary to import this certificate into the client machine's certificate store to avoid unwanted browser certificate errors</LI><LI>An intermediate CA certificate installed on the PAN Device which was generated by an organization's internal CA also configured for Forward Trust / Forward Untrust use</LI></UL></LI></UL><P></P><P>Even though you haven't configured a decryption policy, The PAN firewall will internally decrypt the packet to push the BLOCK page notification in front of the end user, during handshake.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-4901">How to Configure the Palo Alto Networks Device to Serve a URL Response page Over an HTTPS Session without SSL Decryption</A></P><P></P><P></P><P>But, as per my experience, you will get the best result with a decryption policy.</P><P></P><P>Thanks</P></BODY></HTML> Mon, 02 Jun 2014 16:36:55 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-page-for-https-traffic/m-p/27176#M19824 HULK 2014-06-02T16:36:55Z https://live.paloaltonetworks.com/t5/general-topics/blocking-page-for-https-traffic/m-p/27177#M19825 <HTML><HEAD></HEAD><BODY><P>Hi Hulk,</P><P></P><P>thx for your answer. Will test that as faster as possible <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>cheers.</P><P></P><P>v.</P></BODY></HTML> Tue, 03 Jun 2014 07:42:20 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-page-for-https-traffic/m-p/27177#M19825 VinceM 2014-06-03T07:42:20Z