https://live.paloaltonetworks.com/t5/general-topics/block-page-not-always-displayed/m-p/331800#M83963 <P>Hello,</P><P>&nbsp;</P><P>Client should trust, the ssl certificate presented from firewall, Firefox keeps certificates on seperate store when importing proccess select all the checkboxes.</P><P>&nbsp;</P><P>Other possible reasons are;</P><UL><LI>there another device which is making ssl inspection between client and firewall, or between firewall and the destination server.</LI><LI>if firewall and clients are on different location maybe a mpls connection, routing problems coauses this error which i experienced before. SSL connection is sensitive to routing problems.</LI></UL> Fri, 05 Jun 2020 07:01:56 GMT upelister 2020-06-05T07:01:56Z https://live.paloaltonetworks.com/t5/general-topics/block-page-not-always-displayed/m-p/331626#M83947 <P>Hi,</P><P>&nbsp;</P><P>I have the problem that for some URLs I get a block Page and for other URLs I get the "Error secure connection failed" Message.</P><P>Both responses have the same session end reason:&nbsp;<SPAN>decrypt-cert-validation.</SPAN></P><P><SPAN>As this happens regarding SSL connections I use a decryption Profile with checked:</SPAN></P><P>&nbsp;</P><P><SPAN>Block sessions with expired certificates</SPAN></P><P><SPAN>Block sessions with untrusted issuers</SPAN></P><P><SPAN>Block sessions with unknown certificate status</SPAN></P><P><SPAN>Block sessions on certificate status check timeout</SPAN></P><P>&nbsp;</P><P>I tried with Firefox and Chrome and got the explained result.</P><P>The Internet Explorer seems to always show the requested block page.</P><P>&nbsp;</P><P>Can someone maybe explain why this is happening and maybe how I can for example get Firefox to always show the block page?</P><P>&nbsp;</P><P>Best regards,</P><P>Marc</P><P>&nbsp;</P> Thu, 04 Jun 2020 14:24:19 GMT https://live.paloaltonetworks.com/t5/general-topics/block-page-not-always-displayed/m-p/331626#M83947 Marc.Luecke 2020-06-04T14:24:19Z https://live.paloaltonetworks.com/t5/general-topics/block-page-not-always-displayed/m-p/331654#M83950 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/123063">@Marc.Luecke</a>,</P><P>Do you utilize a web proxy at all on the browsers that aren't working as expected?&nbsp;</P> Thu, 04 Jun 2020 16:18:20 GMT https://live.paloaltonetworks.com/t5/general-topics/block-page-not-always-displayed/m-p/331654#M83950 BPry 2020-06-04T16:18:20Z https://live.paloaltonetworks.com/t5/general-topics/block-page-not-always-displayed/m-p/331800#M83963 <P>Hello,</P><P>&nbsp;</P><P>Client should trust, the ssl certificate presented from firewall, Firefox keeps certificates on seperate store when importing proccess select all the checkboxes.</P><P>&nbsp;</P><P>Other possible reasons are;</P><UL><LI>there another device which is making ssl inspection between client and firewall, or between firewall and the destination server.</LI><LI>if firewall and clients are on different location maybe a mpls connection, routing problems coauses this error which i experienced before. SSL connection is sensitive to routing problems.</LI></UL> Fri, 05 Jun 2020 07:01:56 GMT https://live.paloaltonetworks.com/t5/general-topics/block-page-not-always-displayed/m-p/331800#M83963 upelister 2020-06-05T07:01:56Z https://live.paloaltonetworks.com/t5/general-topics/block-page-not-always-displayed/m-p/331834#M83969 <P>Unfortunately there is no web proxy used.</P><P>But thanks for the hint <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>Best regards,</P><P>Marc</P> Fri, 05 Jun 2020 09:08:55 GMT https://live.paloaltonetworks.com/t5/general-topics/block-page-not-always-displayed/m-p/331834#M83969 Marc.Luecke 2020-06-05T09:08:55Z https://live.paloaltonetworks.com/t5/general-topics/block-page-not-always-displayed/m-p/331837#M83970 <P>Hi,</P><P>&nbsp;</P><P>the Certificate is installed to the trusted certificate store of Firefox.</P><P>There are no other devices installed between client and FW or FW and destination.</P><P>&nbsp;</P><P>I have to inform myself about the locations.</P><P>&nbsp;</P><P>Please don't misunderstand the issue as this is about that, for the same session end reason, I get two different outputs. Sometimes the Error message, sometimes the block page and I would like to always get the block page.</P><P>&nbsp;</P><P>It seems to work fine in the Internet Explorer, so I am kind of confused.</P><P>&nbsp;</P><P>Edit:&nbsp;I have check the "<SPAN>Strip ALPN" Option in the Decryption Profile and it works for now. </SPAN></P><P><SPAN>Maybe because now HTTP1 is used?&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Is it possible that the NGFW has problems with HTTP2 ?</SPAN></P><P>&nbsp;</P><P><SPAN>Best regards,</SPAN></P><P><SPAN>Marc</SPAN></P><P>&nbsp;</P> Fri, 05 Jun 2020 09:35:17 GMT https://live.paloaltonetworks.com/t5/general-topics/block-page-not-always-displayed/m-p/331837#M83970 Marc.Luecke 2020-06-05T09:35:17Z