Antivirus/Anti-Spyware Response Page not working

alexander.graser · ‎01-20-2017

Hey Community!

I noticed that our Firewall (PA-3020, PAN-OS 7.1.6) does not serve an Antivirus/Anti-Spyware block page.

When I use http://www.eicar.org/85-0-Download.html to test it, I can see that it is blocked.

ThreatLog shows action "reset-both" but in the Browser (tested with Firefox 50.1.0 and IE 11 11.576.14393.0/Win10) I don´t get the desired and configured Block-Page.

URL-Filter and Application block pages are working as expected, but AV/Spyware block page is not working.

SSL-Decryption is enabled and if I use https://secure.eicar.org/eicar.com for download, the download is also blocked, but I don´t get a block page. So no matter if http or https is used, the file is blocked but no response page is served.

We also have a PA-500 - PAN-OS 7.1.6, no SSL-Decryption active - response pages are configured and I get the same result as on our PA-3020, that is: URL-Filter and Application block pages are working as expected, but AV/Spyware block page is not served to the client browser, although the download is blocked.

Does anyone else have the similar issues?

Thanks,

Alex.

VinceM · ‎01-20-2017

Hi,

short question, do you enable response page in Device / Response page ?

look: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/device/device-response-p...

For SSL: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Serve-a-URL-Response-Page-Over-an...

Hope help

V.

alexander.graser · ‎01-20-2017

Thanks VinceM,
but as far as I know, you can't enable nor disable AV-Response page. At least there is no option for doing that.
Application response page is enabled and as I mentioned in my original post, App and Url response pages or working correctly.

The following command is set - required for SSL decrypt.
set deviceconfig setting url dynamic-url yes

the managment profile for the egress interface is set to enable response pages.
I know for sure, that the AV response page worked when we first implemented the firewall 3 years ago and I think that was on
PAN-OS 5.X
I don't know when it stopped working :-(

Alex.

kasito · ‎03-19-2019

Hello,

I have the same behavior, response pages for unencryped flows are working, response pages for encrypted (with SSL interception) app + URL filtering are also working fine.

However other encrypted flows (with SSL interception) like AV, vulnerability are not working but I think it's by designed for the transparent proxy: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZJCA0

Does someone know a way to change the behavior even if it's not a proper response page but something that may challenge the user that the firewall is blocking something?

Thanks

Antivirus/Anti-Spyware Response Page not working