Custom Response Page

Reply
Highlighted
L3 Networker

Custom Response Page

Hi All,

 

Hoping someone can help. I need a custom response page for URL Filtering. I know I need to use Javascript but that is not my forte so hoping can provide the inform for me. I need to produce two distinct page responses depending on the IP address the user comes from ie:

If they come from address range 10.0.0.0/8 a URL response page produces "Page Blocked for Security Reasons"

If they come from any other address range a URL response page produces "Page Blocked because we have the power to do so".

 

I understand it is a text file I need to upload, it's just the page construct I'm struggling with.

 

Thanks in advance

 

Adrian

Highlighted
L3 Networker

Hi

 

I don't see that IP Address is a known variable in the URL filtering response page, if you want to try or just want the HTML file layout, download the current block page and edit it, then re-upload it:

 

1. Device->Response pages->click on 'URL Filtering and Category Match page'

2. Select predefined then 'export'

3. open text file with editor then import back.

4. Imported file will be called 'shared' and will be used.

 

Take a look here for more info and the

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-response-pages

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/customize-the-url-filtering-...

 

Hope this help,

Shai

Cyber Elite

Hi @a.jones 

Do you have user-id configured on that firewall? If not then the variable for the username will contain the IP address which you can then use in a javascript that will display the message like you need it.

Highlighted
L3 Networker

Hi All,

 

Apologies I may need to add a bit more detail. The configuration contains multiple paths for different partners for a large wireless network. Each Partner has their own SSID and are assigned a specific subnet. Many share the same Response Page for their web traffic but we have a couple that want to have a different response page carrying their own Partner name. Whilst I cannot add multiple response pages and refer a partner to a specific response page I understand that using javascript I can assign a specific response based on the IP source of the user hence the original question.

 

Regards

 

Adrian

Highlighted
Cyber Elite

@a.jones what PAN-OS verison do you have installed?

Highlighted
L3 Networker

About to upgrade to 8.1.15-h3.

 

We are going to 9 or 9.1 in late Sept/Early Oct.

 

Regards

 

Adrian

Highlighted
Cyber Elite

hi @a.jones 

do you have user-id configured or not? and are the subnets all /24 subnets?

Highlighted
Cyber Elite

so in case you are not using user-id and you have /24 subnets you can use the following response page:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
	<head>
		<title>Web Page Blocked</title>
		<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
		<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
		<meta name="viewport" content="initial-scale=1.0">
		<style>
		  #content {
			border:3px solid#aaa;
			background-color:#fff;
			margin:1.5em;
			padding:1.5em;
			font-family:Tahoma,Helvetica,Arial,sans-serif;
			font-size:1em;
		  }
		  h1 {
			font-size:1.3em;
			font-weight:bold;
			color:#196390;
		  }
		  b {
			font-weight:normal;
			color:#196390;
		  }
		</style>
		<script type="text/javascript">
			function onload()
			{
				var ip = "<user/>";
				var octets = ip.split(".");
				var subnet = octets[0] + "." + octets[1] + "." + octets[2];
				var title = document.getElementById("title");
				var infotext = document.getElementById("infotext");
				switch (subnet) {
					case "10.0.0":
						title.innerHTML = "Title 1";
						infotext.innerHTML = "Infotext 1";
						break;
					case "10.0.1":
						title.innerHTML = "Title 2";
						infotext.innerHTML = "Infotext 2";
						break;
					case "10.0.2":
						title.innerHTML = "Title 3";
						infotext.innerHTML = "Infotext 3";
						break;
				}
			}
		</script>
	</head>
	<body bgcolor="#e7e8e9" onload="onload()">
		<div id="content">
			<h1 id="title">Web Page Blocked</h1>
			<p id="infotext">Access to the web page you were trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p>
			<p><b>User/IP:</b> <user/> </p>
			<p><b>URL:</b> <url/> </p>
			<p><b>Category:</b> <category/> </p>
		</div>
	</body>
</html>

The only thing you need to change is the statements in the switch statement according to your subnets and the title and text you want to display to the user.

Highlighted
L3 Networker

Hi,

 

Apologies for no response. I had been in and out  with suspected Covid  symptoms for a few weeks.

 

I have tried this and whether I am doing something wrong.

 

I need the following IP subnets with the following response:

172.18.24.0/23 and 172.18.26.0/23 responde with 

“Access to the web page you were trying to visit has been blocked in accordance with NNC filtering policy. Please contact the Complaints and Compliments team at NNC for more information or if you feel that the site you were attempting to view was inappropriately blocked.”

 

All other ips responded with:

“Access to the web page you were trying to visit has been blocked in accordance with Corp Partnering filtering policy. Please go to the Corp Partnering webpage for more information or if you feel that the site you were attempting to view was inappropriately blocked.”

 

This is a multi vsys Palo Alto and this particular vsys is the Public Wifi vsys. All Partners wifi traverses this vsys so there is no Userid but 2 partners want 2 specific subnets with a different response hence my issues.

 

Regards and thanks as always.

 

Adrian

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!