https://live.paloaltonetworks.com/t5/general-topics/hacking-url-direct-thru-palo-deny-reason-quot-block-url-quot-via/m-p/236879#M67884 <P>When you go directly to "shodan.io", which is categorized as a hacking site, the palo will block that URL. When searching thru google for that site, then click on it, a reset page is sent, need to understand why? Is it considered a "threat" if google makes the request? so the threat settings would be used instead of the URL Filtering Security settings? Would Severity settings come into play?</P> Wed, 24 Oct 2018 17:50:51 GMT tstores31 2018-10-24T17:50:51Z https://live.paloaltonetworks.com/t5/general-topics/hacking-url-direct-thru-palo-deny-reason-quot-block-url-quot-via/m-p/236879#M67884 <P>When you go directly to "shodan.io", which is categorized as a hacking site, the palo will block that URL. When searching thru google for that site, then click on it, a reset page is sent, need to understand why? Is it considered a "threat" if google makes the request? so the threat settings would be used instead of the URL Filtering Security settings? Would Severity settings come into play?</P> Wed, 24 Oct 2018 17:50:51 GMT https://live.paloaltonetworks.com/t5/general-topics/hacking-url-direct-thru-palo-deny-reason-quot-block-url-quot-via/m-p/236879#M67884 tstores31 2018-10-24T17:50:51Z https://live.paloaltonetworks.com/t5/general-topics/hacking-url-direct-thru-palo-deny-reason-quot-block-url-quot-via/m-p/236905#M67885 <P>Going directly to the site from my browser the request uses port 80(web page blocked), when using google search the request uses port 443 and I receive "This site cannot be reached" "The connection was reset".&nbsp;</P> Wed, 24 Oct 2018 19:09:58 GMT https://live.paloaltonetworks.com/t5/general-topics/hacking-url-direct-thru-palo-deny-reason-quot-block-url-quot-via/m-p/236905#M67885 tstores31 2018-10-24T19:09:58Z https://live.paloaltonetworks.com/t5/general-topics/hacking-url-direct-thru-palo-deny-reason-quot-block-url-quot-via/m-p/236908#M67886 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/47145">@tstores31</a></P><P>&nbsp;</P><P>You were pretty much on the right track with what you said. When you go to "shodan.io" it uses HTTP. The firewall can do a "man in the middle attack" on this HTTP session and present the URL block page.</P><P>&nbsp;</P><P>On the Google Search result for shodan.io, the URL is https://. Without SSL decryption, the firewall cannot do a MiTM attack on the SSL site to present the block page, however access to the site can still be blocked as per your URL filtering configuration.</P><P>&nbsp;</P><P>To conclude, if you want to present block pages for SSL sites - you will need to configure SSL decryption.</P><P>&nbsp;</P><P>Cheers,</P><P>Luke.</P><P>&nbsp;</P> Wed, 24 Oct 2018 19:54:29 GMT https://live.paloaltonetworks.com/t5/general-topics/hacking-url-direct-thru-palo-deny-reason-quot-block-url-quot-via/m-p/236908#M67886 LukeBullimore 2018-10-24T19:54:29Z https://live.paloaltonetworks.com/t5/general-topics/hacking-url-direct-thru-palo-deny-reason-quot-block-url-quot-via/m-p/417203#M93526 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/172278">@pal7mentor</a> ,</P><P>&nbsp;</P><P>In addition to what <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/52796">@LukeBullimore</a>&nbsp; says you should be able to enable block page for encrypted traffic even without SSL decryption</P><P>Details in the following link - <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFKCA0" target="_blank">How to Serve a URL Response Page Over an HTTPS Session Without ... - Knowledge Base - Palo Alto Networks</A></P> Tue, 06 Jul 2021 05:51:05 GMT https://live.paloaltonetworks.com/t5/general-topics/hacking-url-direct-thru-palo-deny-reason-quot-block-url-quot-via/m-p/417203#M93526 aleksandar.astardzhiev 2021-07-06T05:51:05Z