The customer has deployed Credential Detection feature. They are able to view logs of the same on the firewall.
They have the action as "Continue" for "Auction" URL category. On submission of credential Response page do not appear and " SEC_ERROR_UNKNOWN_ISSUER" error is displayed. I checked the certificate when the error appears in chrome and found that it is Palo Alto certificate.(Please find attachment).
When the action is set to "block" fro credential detection, the warning page is displayed properly.
We also checked "continue" action for URL and it properly displays response page,
Is this an issue with Anti Phishing Continue Page? as everything else is working as expected
I finally got this to work. To benefit the rest of the community, I wrote an article that PAN will hopefully post officially.
Configure URL Admin Override for Credential Filter Detection
sub heading: User Credential Submission = continue
In some cases there may be URL categories that you want to warn users about credential detection instead of blocking outright. In these cases, you would want to present a splash page to warn the user but allow the user to continue forward. In this case, you would set the user credential submission action to continue. When users attempt to browse to the category, they will be present with a splash page alerting them to their detected user credential but allowed to continue if they choose. Use the following procedure to configure User Credential Submission where the action is continue:
1. Create a management profile to enable the interface to display the URL Filtering Continue and Override Page response page:
a. Select Network > Interface Mgmt and click Add.
b. Enter a Name for the profile, select Response Pages AND any additional services you require (i.e. ping), and then click OK.
2. Create the Layer 3 interface OR use an already existing interface (i.e. the firewalls internal interface). Be sure to attach the management profile you just created (on the Advanced > Other Info tab of the Ethernet Interface dialog).
1. (To avoid certificate errors use a certificate signed by a trusted CA in the organization). The certificate should be created following these parameters:
a. The common name must be the DNS hostname of the internal interface/some other interface of the firewall, or it must be the internal interface ip address/some other interface ip address of the firewall.
b. A SAN for the IP address for step a must also exist on the certificate.
c. Import the certificate and private into the firewall
1. Select Objects > URL Filtering and either select an existing URL filtering profile or Add a new one.
2. On the Categories tab, set the User Credential submission action to continue for each category that requires a warning splash page.
3. Complete any remaining sections on the URL filtering profile and then click OK to save the profile.
1. Create a SSL/TLS Service Profile from device -> certificate management -> ssl/tls service profile
2. Click add
3. Give it a name
4. Select the certificate imported from step 2
5. The protocol settings section should be fine.
1. Select Device > Setup > Content ID.
2. In the URL Admin Override section, click Add.
3. In the Location field, select the virtual system to which this password applies.
4. Enter the Password and Confirm Password. (this doesn't matter for credential filtering action set to continue but we have to provide it anyways)
5. Select an SSL/TLS Service Profile. The profile specifies the certificate that the firewall presents to the user if the site with the continue action is an HTTPS site.
6. Select the Mode for prompting the user for the password:
a. (do not use) Transparent (this mode is not valid for credential submission continue action. The reason is because we cannot generate a certificate that is valid for all public internet sites) —The firewall intercepts the browser traffic destined for site in a URL category you have set to override and impersonates the original destination URL, issuing an HTTP 401 to prompt for the password. Note that the client browser will display certificate errors if it does not trust the certificate.
b. (use this one) Redirect (We need to forcefully redirect our users to an ip address/hostname on the firewall to service out the response page because of step 1) —The firewall intercepts HTTP or HTTPS traffic to a URL category set to continue and redirects the request to a Layer 3 interface on the firewall using an HTTP 302 redirect in order to prompt the user to click continue. If you select this option, you must provide the Address (IP address or DNS hostname) to which to redirect the traffic.
7. Click OK.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!