Block pages can cause HTTPS (SSL) traffic to use wrong security rule
36240
Created On 09/27/18 07:01 AM - Last Modified 07/25/19 22:45 PM
Symptom
- When users access a website such as "https://exchange.leapfile.com/", the rule called "Deny-App" rule is hitting as expected. The app is being correctly identified and blocked as a result of the security rules
=========================================================================== traffic logs =========================================================================== Receive_T Dest_addr Rule App S_Port D_Port Action Category 8/25 9:56 54.227.253.124 Deny-App leapfile 55895 443 deny online-storage-and-backup
- When creating a new security rule called "url block" to present block pages based on URL categories, the url block security rule is hit instead
- The traffic logs then show the traffic now hitting the rule "url block" with a category as "online-storage-and-backup"
=========================================================================== traffic logs =========================================================================== Receive_T Dest_addr Rule App S_Port D_Port Action Category 8/25 9:55 54.227.253.124 url block web-browsing 55888 443 allow online-storage-and-backup
Environment
- PAN-OS
- URL Filtering
- The command to inject URL filtering response pages within an HTTPS session is configured, set deviceconfig setting ssl-decrypt url-proxy yes
Cause
The traffic log shows that the session for accessing the URL https://exchange.leapfile.com contains the category as "online-storage-and-backup" which is part of the block page for URL filtering
===========================================================================
traffic logs
===========================================================================
Receive_T Dest_addr Rule App S_Port D_Port Action Category
8/25 9:55 54.227.253.124 url block web-browsing 55888 443 allow online-storage-and-backup
In this scenario, the firewall sends the URL block page before the application "leapfile" is able to be identified. This causes the traffic to no longer match against the original security rule "Deny-App"
Resolution
Additional Information
For more information on configuring response pages over HTTPS connection, see the following link: How to Configure the Palo Alto Networks Device to Serve a URL Response page Over an HTTPS Session without SSL Decryption