So, we have a need to block everyone but a small AD group access to a couple pages. Now, we don't want to just "deny" them in the rule (we have a comfort page that promps them they are blocked and allows them to request access) - I don't want to see all those tickets about a site not loading. So, here is what I did:
Rule 1 Allow: Anyone from "AD Group" via "web-browsing" or "ssl" to (website 1 and website 2) - allowed.
Rule 2 Block: Anyone from anywhere else via "web-browsing" or "ssl" to (website 1 and website 2) - allowed. However, I created a "block all" URL group so that nothing is allowed through and they are given our block page.
Website 1 is a standard http site and works great. Website 2 is an SSL site. When I try and go to it, I see that it's hitting the "block" rule but it never presents the block page. It just sits there churning.
You can achieve block pages over SSL in two ways.
1) One is through SSL decryption of the websites so that Paloalto has visibility into the websites traffic. Here is a document to do the same.
2) The other way is paloalto will act as a proxy for ssl sessions if the IP's URL category is blocked.
This can be done by the command from coniguration mode
"set device config setting ssl-decrypt url-proxy yes"
also can you please let me know which pan-os version are you running.
Unfortunatly Sandeep it doesn't appear to work.
I did issue the "set deviceconfig setting ssl-decrypt url-proxy yes" command however it's still not presenting a block page. It shows the session as "DISCARD" but never presents a block page. At this point, at least as of yet, we don't want to start using certificats to break the SSL stream to block.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!