Block Pages are Not Displayed When Using SSL and a Web-Proxy

Printer Friendly Page


When configuring file blocking or URL filtering profiles for a policy (with or without the continue action), the block or continue page doesn't appear when accessing HTTPS sites. This occurs if the firewall is configured with SSL decryption and the user’s browser is using a proxy server.



The workaround for this issue is to either:

  • Modify the configuration to not use block pages when using both SSL decryption and Web-Proxy.
  • Disable the proxy on the browser.


owner: mcooke


Why is this? Can you please provide a more technical explanation? Those workarounds are not workarounds, they are "don't use this feature".


I have encountered this problem and am struggling to understand why it is happening.  It seems from fiddler that the block page arrives at the client but the client doesn't display it.  Why?  If we can identify this we can also identify a work around that doesn't involve turning the features off.

Ok, answering my own question:

The reason is a change in newer browsers (read Firefox 3.0.10 and older and IE8) to prevent MITM attacks.

The Bluecoat Knowledgebase explains it quite well:

Also, tested and confirmed still working with Firefox 3.0.9 - using Pan-OS 6.0.3, connecting through to a squid proxy, block pages are also displayed for https.

Hope somebody else finds this useful :smileyhappy: