Block Page not always displayed

Reply
Highlighted
L2 Linker

Block Page not always displayed

Hi,

 

I have the problem that for some URLs I get a block Page and for other URLs I get the "Error secure connection failed" Message.

Both responses have the same session end reason: decrypt-cert-validation.

As this happens regarding SSL connections I use a decryption Profile with checked:

 

Block sessions with expired certificates

Block sessions with untrusted issuers

Block sessions with unknown certificate status

Block sessions on certificate status check timeout

 

I tried with Firefox and Chrome and got the explained result.

The Internet Explorer seems to always show the requested block page.

 

Can someone maybe explain why this is happening and maybe how I can for example get Firefox to always show the block page?

 

Best regards,

Marc

 

Highlighted
Cyber Elite

Re: Block Page not always displayed

@Marc.Luecke,

Do you utilize a web proxy at all on the browsers that aren't working as expected? 

Highlighted
L2 Linker

Re: Block Page not always displayed

Hello,

 

Client should trust, the ssl certificate presented from firewall, Firefox keeps certificates on seperate store when importing proccess select all the checkboxes.

 

Other possible reasons are;

  • there another device which is making ssl inspection between client and firewall, or between firewall and the destination server.
  • if firewall and clients are on different location maybe a mpls connection, routing problems coauses this error which i experienced before. SSL connection is sensitive to routing problems.
UP
Highlighted
L2 Linker

Re: Block Page not always displayed

Unfortunately there is no web proxy used.

But thanks for the hint

 

Best regards,

Marc

Highlighted
L2 Linker

Re: Block Page not always displayed

Hi,

 

the Certificate is installed to the trusted certificate store of Firefox.

There are no other devices installed between client and FW or FW and destination.

 

I have to inform myself about the locations.

 

Please don't misunderstand the issue as this is about that, for the same session end reason, I get two different outputs. Sometimes the Error message, sometimes the block page and I would like to always get the block page.

 

It seems to work fine in the Internet Explorer, so I am kind of confused.

 

Edit: I have check the "Strip ALPN" Option in the Decryption Profile and it works for now.

Maybe because now HTTP1 is used? 

 

Is it possible that the NGFW has problems with HTTP2 ?

 

Best regards,

Marc

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!