Multiple Response Pages

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Multiple Response Pages

Cyber Elite
Cyber Elite

Does anyone know of a way to make multiple response pages for different user groups. Specifically the URL Filtering and Category Match Block Page? 

Essentially what I'm trying to do is create two different responses; one that will tell you your request was blocked because of policy, and the other one will simply block the traffic and display a blank page that doesn't give the end user any notification that the category in question is actually being blocked.

 

2 accepted solutions

Accepted Solutions

L3 Networker

You can actually do this type of thing with a little javascript - here's an example script: 

 

<script type="text/javascript">
if ("<category/>" == "test") {
    window.location="http://www.google.com";
} 
</script>

If you insert that in the

<head>

section of your response page, any traffic that matches the category named 'test' will redirect to www.google.com.  

 

 

You can also match on user, file, rule name, etc...

View solution in original post


@drogers wrote:

You can actually do this type of thing with a little javascript - here's an example script: 

 

<script type="text/javascript">
if ("<category/>" == "test") {
    window.location="http://www.google.com";
} 
</script>

If you insert that in the

<head>

section of your response page, any traffic that matches the category named 'test' will redirect to www.google.com.  

 

 

You can also match on user, file, rule name, etc...


@drogers A coder is the last list of tricks in my bag so I'd hope to clarify something.  Currently a response page for block action is uploaded in code wholly contained in the firewall.  (images base-64 enconded and whatnot)

 

What you're writing here:

 

<script type="text/javascript">
if ("<category/>" == "test") {
window.location="http://www.google.com";
}
</script>

 

essentially category could be a custom URL value or some predefine URL cat like "malware?"  Right...This is "test"?

 

Then if category = "test" in this "response page" that's uploaded into the firewall the response page is actually a redirect to some other webpage / content? 

 

Am I understanding that correctly?  So this would mean we'd need some other web front end via apache / iis hosting these response pages / coding?

 

So:

 

"malware" could get fakedomain.com/malware

"blacklist" could get fakedomain.com/blacklist

"phishing" could get fakedomain.com/phishing

 

... And so on?

 

Thanks,

Brandon

 

--edit-- I hope my understanding is correct and I didn't just write that out all wrong.

View solution in original post

8 REPLIES 8

L4 Transporter

Hi,

 

Response pages are set globally rather than per policy, so you can't have a different response page based on user. If you don't want to have a response page shown then you can remove response pages from the interface mgmt profile.

 

Ben

Thanks Ben! That's what I was seeing but I wanted to make sure that I wasn't missing something. 

Cyber Elite
Cyber Elite

it's a bit like bringing a bulldozer to put in a nail, but you can have a unique response page per vsys, so a multi-vsys system can have several response pages

 

you can also load the content of the response page from a remote server which might allow you to work with access lists: Using a Custom Response Page to HTTP Redirect

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L3 Networker

You can actually do this type of thing with a little javascript - here's an example script: 

 

<script type="text/javascript">
if ("<category/>" == "test") {
    window.location="http://www.google.com";
} 
</script>

If you insert that in the

<head>

section of your response page, any traffic that matches the category named 'test' will redirect to www.google.com.  

 

 

You can also match on user, file, rule name, etc...

I'll second @drogers suggestion to checking out your options with javascript as this is how I'm dealing with my URL Filtering response page.  I stuck some javascript in there to utlize the variables Palo Alto generates to determine what type of page it hit (malware, phishing, etc) and then display the appropriate images/content.


@drogers wrote:

You can actually do this type of thing with a little javascript - here's an example script: 

 

<script type="text/javascript">
if ("<category/>" == "test") {
    window.location="http://www.google.com";
} 
</script>

If you insert that in the

<head>

section of your response page, any traffic that matches the category named 'test' will redirect to www.google.com.  

 

 

You can also match on user, file, rule name, etc...


@drogers A coder is the last list of tricks in my bag so I'd hope to clarify something.  Currently a response page for block action is uploaded in code wholly contained in the firewall.  (images base-64 enconded and whatnot)

 

What you're writing here:

 

<script type="text/javascript">
if ("<category/>" == "test") {
window.location="http://www.google.com";
}
</script>

 

essentially category could be a custom URL value or some predefine URL cat like "malware?"  Right...This is "test"?

 

Then if category = "test" in this "response page" that's uploaded into the firewall the response page is actually a redirect to some other webpage / content? 

 

Am I understanding that correctly?  So this would mean we'd need some other web front end via apache / iis hosting these response pages / coding?

 

So:

 

"malware" could get fakedomain.com/malware

"blacklist" could get fakedomain.com/blacklist

"phishing" could get fakedomain.com/phishing

 

... And so on?

 

Thanks,

Brandon

 

--edit-- I hope my understanding is correct and I didn't just write that out all wrong.

I believe the redirect was just an example. you have all of javascript at your disposal (assuming the client browser is running javascript), so you can make it as complex or as simple as you wish.

 

but if you do take the redirect approach, yes, you'd have to provide your own server/sever side scripting.

--
CCNA Security, PCNSE7

Brandon,

   Yes - in my example 'test' is a custom URL category that I used when I was validating this.  The example I was working out was actually for a customer that required a redirect to a 3rd party web server for quarantining users, but you could just as easily use the script to update the DOM to display a completely different set of text / layout based on the URL category.  Or you could do as your example pointed out and send users to different landing pages on your own web server.  Pretty much anything you can do with javascript can be done in place of the redirect in my script...

 

 

  • 2 accepted solutions
  • 6784 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!