topic No Block Page when accessing Blocked Categories over HTTPS in General Topics

No Block Page when accessing Blocked Categories over HTTPS

Bocsa — Fri, 28 Apr 2017 15:30:11 GMT

Hi there,

I have recently noticed that when I test access to URLs of blocked categories over HTTPS, I do not get a 'Blocked Page' display from the Palo. It just says the Page Cannot be Displayed and show the connection was reset.

The URL filtering log correctly show as 'Block-URL' for the action. I just do not get a 'Block Page'.

SSL decrypt is not configured.

How can I get a block page for blocked categories over HTTPS, without SSL Decrypt.

Your assistance is appreciated

Re: No Block Page when accessing Blocked Categories over HTTPS

kiwi — Fri, 28 Apr 2017 15:57:06 GMT

Hi @Bocsa,

Are you looking for this ?

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Serve-a-URL-Response-Page-Over-an-HTTPS-Session-Without/ta-p/55998

Hope it helps.

-Kiwi

Re: No Block Page when accessing Blocked Categories over HTTPS

Bocsa — Fri, 28 Apr 2017 16:31:43 GMT

Hi,

I had tried this earlier. It doesn't solve the problem. In my case all it did was give me a message saying 'The Connection to the Site is Not Trusted' (ie the standard message you get when accessing an SSL site without a Trusted Certificate.

I still do not get a 'Block Page'

Re: No Block Page when accessing Blocked Categories over HTTPS

BPry — Fri, 28 Apr 2017 16:49:43 GMT

@Bocsa,

The security warning could have been a few things:

1) The Forward Trust certificate wan't trusted by the client, this cert actually needs to be imported and trusted by the clients.

2) The site you were attempting to visit wasn't a trusted certificate, so it served the Forward Untrust cert.

You also need to enable the ability to inject the response pages within an HTTPS session which could also be the issue. Are you sure that you ran the 'set deviceconfig settting ssl-decrypt url-proxy yes' command, without this setting then the device won't inject the response pages.

Re: No Block Page when accessing Blocked Categories over HTTPS

Bocsa — Wed, 03 May 2017 08:53:37 GMT

''You also need to enable the ability to inject the response pages within an HTTPS session which could also be the issue''.....I'm not sure of what you mean by enable to ability to inject the response pages here.

Yes, I have put in the command 'set deviceconfig settting ssl-decrypt url-proxy yes'

Re: No Block Page when accessing Blocked Categories over HTTPS

ChrisRussell — Wed, 03 May 2017 21:18:27 GMT

If the sites cert isn't supported by the TSL, thats happening before the request can be blocked. Test if you get it with a site that has a supported cert, but is set to be blocked.

Re: No Block Page when accessing Blocked Categories over HTTPS

P.Braat — Mon, 08 May 2017 06:50:35 GMT

hi,

The problem you are having is based on the fact that the only FW can in normal cercomstances can not highjack the ssl session because it does not have the root cert of the destination. therefore it can only work if you do a man in the middle (or ssl inspection as it is called in the firewall). this will terminate the session of the client on the firewall witch in turn wil present it's own cert, this cert wil be signed by the firewall itself unless you have taken precautions and installed a trusted public ca. In this case it presents it's a cert signed by itself, which is not trusted by the client, thats why you're getting a site not trusted.

Hope this kind of explains the problem.