Block Page not always displayed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Block Page not always displayed

L2 Linker

Hi,

 

I have the problem that for some URLs I get a block Page and for other URLs I get the "Error secure connection failed" Message.

Both responses have the same session end reason: decrypt-cert-validation.

As this happens regarding SSL connections I use a decryption Profile with checked:

 

Block sessions with expired certificates

Block sessions with untrusted issuers

Block sessions with unknown certificate status

Block sessions on certificate status check timeout

 

I tried with Firefox and Chrome and got the explained result.

The Internet Explorer seems to always show the requested block page.

 

Can someone maybe explain why this is happening and maybe how I can for example get Firefox to always show the block page?

 

Best regards,

Marc

 

4 REPLIES 4

Cyber Elite
Cyber Elite

@Marc.Luecke,

Do you utilize a web proxy at all on the browsers that aren't working as expected? 

L3 Networker

Hello,

 

Client should trust, the ssl certificate presented from firewall, Firefox keeps certificates on seperate store when importing proccess select all the checkboxes.

 

Other possible reasons are;

  • there another device which is making ssl inspection between client and firewall, or between firewall and the destination server.
  • if firewall and clients are on different location maybe a mpls connection, routing problems coauses this error which i experienced before. SSL connection is sensitive to routing problems.
UP

Unfortunately there is no web proxy used.

But thanks for the hint 🙂

 

Best regards,

Marc

Hi,

 

the Certificate is installed to the trusted certificate store of Firefox.

There are no other devices installed between client and FW or FW and destination.

 

I have to inform myself about the locations.

 

Please don't misunderstand the issue as this is about that, for the same session end reason, I get two different outputs. Sometimes the Error message, sometimes the block page and I would like to always get the block page.

 

It seems to work fine in the Internet Explorer, so I am kind of confused.

 

Edit: I have check the "Strip ALPN" Option in the Decryption Profile and it works for now.

Maybe because now HTTP1 is used? 

 

Is it possible that the NGFW has problems with HTTP2 ?

 

Best regards,

Marc

 

  • 4024 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!