Block page and SSL

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Block page and SSL

Not applicable

Hey all,

So, we have a need to block everyone but a small AD group access to a couple pages.  Now, we don't want to just "deny" them in the rule (we have a comfort page that promps them they are blocked and allows them to request access) - I don't want to see all those tickets about a site not loading.  So, here is what I did:

Rule 1 Allow:  Anyone from "AD Group"  via "web-browsing" or "ssl" to (website 1 and website 2) - allowed.

Rule 2 Block:  Anyone from anywhere else via "web-browsing" or "ssl" to (website 1 and website 2) - allowed.  However, I created a "block all" URL group so that nothing is allowed through and they are given our block page.

Website 1 is a standard http site and works great.  Website 2 is an SSL site.  When I try and go to it, I see that it's hitting the "block" rule but it never presents the block page.  It just sits there churning.

Any thoughts?

6 REPLIES 6

Not applicable

Just a note.  I've confirmed if I manually go to the http site (which will by default redirect to https) the block page is presented.  However, if you google search the site, it will take you to the https site which does NOT present a block page.

Hi msoldner,

You can achieve block pages over SSL in two ways.

1) One is through SSL decryption of the websites so that Paloalto has visibility into the websites traffic. Here is a document to do the same.

2) The other way is paloalto will act as a proxy for ssl sessions if the IP's URL category is blocked.

This can be done by the command from coniguration mode

"set device config setting ssl-decrypt url-proxy yes"

also can you please let me know which pan-os version are you running.

Thanks,

Sandeep T

Hey Sandeep,

We are currently running 4.1.6 with plans to move to 4.1.7 in the short-term.

The command you note will only decrypt if the page is supposed to be blocked, correct?  Are there any other known effects that command will have?

Thanks,

-Mike

Unfortunatly Sandeep it doesn't appear to work.

I did issue the "set deviceconfig setting ssl-decrypt url-proxy yes" command however it's still not presenting a block page.  It shows the session as "DISCARD" but never presents a block page.  At this point, at least as of yet, we don't want to start using certificats to break the SSL stream to block.

Hi msoldner,

On 4.1.6 this is command is not working as expected as a result you are not seeing the block pages. Can you open a ticket with support so that we can guide you to a proper pan-os version which has fix.

Thanks,

Sandeep T

The issue with "set deviceconfig setting ssl-decrypt url-proxy yes" was tracked with bugid 43872 and it's fixed in 4.1.9.

In 4.1.6 you can use SSL Decryption rule as an alternative

-Salvo

  • 4219 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!