File Blocking Continue Page in a TLS connection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

File Blocking Continue Page in a TLS connection

L2 Linker

Hello everyone, 

I have a PA-VM in version 9.0 .1 , 

I have setup a File-blocking profile and attached it to my allow-all security policy. The File-Blocking profile has the action of "Continue" for ".exe" file type. 

In the other hand, I configured a decryption policy. 

My problem is that when I try to download an .exe file via HTTP I get the "Continue" response page . However when I try to download the same file via HTTPS the download is blocked and no response page is display. 

I would like to know why the response page is not displayed when the file is downloaded via a TLS connection. 

many thanks, 

karim

1 accepted solution

Accepted Solutions

@karimanizer,

Expected behavior. As @S.Cantwell already mentioned by linking the article Gwesson made, the firewall can't send a text/html mime-type if the browser is only going to accept a specified response. With 9.0 a change was made so that it simply resets the connection instead of presenting something that isn't going to be accepted by the browser anyways so you don't have to wait for the timeout. 

Due to user experience, it's better if the firewall simply resets this connection instead of attempting to send an invalid response type. 

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

This is always one issue that strikes a chord with users. 

 

The issue is really how the webpage is created and not much about how the FW is configured.

 

Read this below article.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZJCA0

 

 

Help the community: Like helpful comments and mark solutions

Hi SteveCantwell, 

 

Thanks for your reply , 

 

I tried to dig deeper in this and wanted to see if the firewall was actually sending the continue page on the wire. I took a pcap on the client side and decrypted the traffic and I do not see the continue page sent on the wire.  I see only the reset sent by the firewall. 

Non_Working_Continue_Page.JPG

 

I then performed  the test via HTTP (without changing the paloalto configuration) and here I see the correct 503 response from the firewall. 

 Working_Continue_Page.JPG

 

Does anyone know why the response page is not sent by the firewall when using TLS connection  ?

 

Many thanks,

Karim

@karimanizer,

Expected behavior. As @S.Cantwell already mentioned by linking the article Gwesson made, the firewall can't send a text/html mime-type if the browser is only going to accept a specified response. With 9.0 a change was made so that it simply resets the connection instead of presenting something that isn't going to be accepted by the browser anyways so you don't have to wait for the timeout. 

Due to user experience, it's better if the firewall simply resets this connection instead of attempting to send an invalid response type. 

Hi @BPry , 

    | With 9.0 a change was made so that it simply resets the connection instead ... 

Thanks for the clarification !

 

The article you are referencing seems to say that the firewall always sends the "Continue" page and it was the browser that sometimes, due to mime-type mismatch,  does not display the page.  Which is not exactly true.  So I thought I had something wrong in my config. 

 

Many thanks for both of you,

Karim

Hi @BPry  @S.Cantwell , 

I recently discover that CheckPoint firewalls solve this problem by redirecting the client to another page instead of responding to the initial GET request with a blocking page. 

Hope that Palo will introduce this feature in later release 🙂 

many thanks, 

karim

  • 1 accepted solution
  • 7019 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!