This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HTTPS response page

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HTTPS response page

Jafar_Hussain
L4 Transporter

‎03-28-2021 05:27 AM

Dears,

 

I have created one custom response page(including image) that is for application block and URL block.

example:- If someone wants to access a restricted URL or application the page should be displayed on the customer screen.

 

I can see, once I apply the custom response page in the URL block page and application block page. then access the HTTP traffic the page display was showing properly, however, while accessing the HTTPS site not able to get the response page.

I have applied the SSL forward proxy decryption. and the traffic decrypted correctly.

 

Jafar_Hussain_0-1616934348405.png

 

Can anyone help me to achieve this?

 

1 person had this problem.
0 Likes Likes
16 REPLIES 16

nikoolayy1
L6 Presenter

‎03-28-2021 05:47 AM

Have you checked this article  (read it carefully)?

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFKCA0

0 Likes Likes

Jafar_Hussain
L4 Transporter
In response to nikoolayy1

‎03-28-2021 06:19 AM

@nikoolayy1 

I believe this article for. to get the response page without SSL decryption. but in my case, the decryption already applied.

0 Likes Likes

nikoolayy1
L6 Presenter
In response to Jafar_Hussain

‎03-28-2021 06:31 AM - edited ‎03-28-2021 06:32 AM

Have you tested with:

set deviceconfig setting ssl-decrypt url-proxy yes

 

I am wondering if this will work without fully decrypting the traffic. Also you have added the SSL Trust certficate to the client workstation ?

 

 

Also did you test with the default page if client sees the page?

0 Likes Likes

Jafar_Hussain
L4 Transporter
In response to nikoolayy1

‎03-28-2021 06:40 AM

@nikoolayy1 

 

yes, the certificate is installed in client machine.

I  checked the default page for HTTP and https that is working fine.

However, for the custom page, the only HTTP website showing the page. while accessing  HTTPS not able to get the custom response page.

0 Likes Likes

nikoolayy1
L6 Presenter
In response to Jafar_Hussain

‎03-28-2021 06:52 AM - edited ‎03-28-2021 07:44 AM

Use tcpdump or Fiddler or HTTPWatch. Maybe the page is returned to the client but the web blowser does not like it for the ssl traffic as new blowsers have such protections (you may test with curl as it will not have such protection and it will display the response page ).

 

Can you share the custom page if you see that it is not send at all by the Firewall to workstation and just the workstation is not displaying?

0 Likes Likes

Jafar_Hussain
L4 Transporter
In response to nikoolayy1

‎03-30-2021 05:05 AM

@nikoolayy1 

 

I took the capture from the fiddler and found the below error:-

 

Jafar_Hussain_0-1617105634646.png

 

I Don't know why i am getting the connection refuse error. because this same is working with HTTP  as well.

0 Likes Likes

nikoolayy1
L6 Presenter
In response to Jafar_Hussain

‎03-30-2021 06:58 AM - edited ‎03-30-2021 07:41 AM

Is it possible if your custom web page uses custom elements like images etc. not hosted on the Palo Alto firewall itself then the source server that actually hosts the content to be listening to only http on port 80 and not on https 443 ? Many new web blowsers will not agree the main web page that is using SSL to have elements that need plain text http as I see that the web blowser tries https to get an element and it fails but maybe the source server for that elements listens only on http and this is why for HTTP the page works.

 

Also it is possible for the source server url/ip address of that element that breaks the custom page to not be in the decryption rule of the Palo Alto decryption policy ?

 

 

 

Edit :

 

 

I also see you have CONNECT header, is there any proxy between the client and the Palo Alto and the source server of the element ? As the proxy will need to be checked as well if it blocks for some reason https elements of the custom page?

 

 

https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT

Jafar_Hussain
L4 Transporter
In response to nikoolayy1

‎03-31-2021 12:46 AM

@nikoolayy1 

 

There is no proxy.

 

0 Likes Likes

Chacko42
L4 Transporter

‎03-31-2021 06:43 AM

Hi @Jafar_Hussain,

 

I would recommend to go back to the default page, to test, if the mechanism is still working.

For integrating images, you can use base64 encoded pictures inside an <img> tag.

 

With that you can slowly move forward, modify your page and see, when the page isn't shown further.

Best Regards
Chacko
0 Likes Likes

Jafar_Hussain
L4 Transporter
In response to Chacko42

‎03-31-2021 11:49 PM

@Chacko42 @nikoolayy1 

 

I modify to the default page and add an image to refer to these documents:-

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/url-f...

 

Jafar_Hussain_0-1617259630466.png

 

then i am getting the below block page that is expected.

 

Jafar_Hussain_1-1617259684676.png

 

but the custom page that is created by my team is not working.

0 Likes Likes

nikoolayy1
L6 Presenter
In response to Jafar_Hussain

‎04-01-2021 12:17 AM - edited ‎04-01-2021 12:20 AM

We mentioned this that you need to check if the custom page for example uses img tag that gets the image from a server URI, where HTTP is allowed but HTTPS is not allowed by the server or the firewall or other security policy. I think you need to check this with your team that made the custom page.

 

 

Use F12 devtools or HTTPWatch or Fiddler to check the code for the response page as I think the Palo Alto or web blowser automatically change for example:

 

 

<img src="http://www.w3schools.com/images/lamp.jpg" alt="Lamp" width="32" height="32">

 

 

TO

 

 

<img src="https://www.w3schools.com/images/lamp.jpg" alt="Lamp" width="32" height="32">

 

 

As it was said better host images and so on things on the Palo Alto firewall than making the user to connect to a server for the image of the custom page and as you see you will not have such issues.

 

 

0 Likes Likes

nikoolayy1
L6 Presenter
In response to nikoolayy1

‎04-06-2021 03:28 PM

Any update on this and if you managed to resolve it?

0 Likes Likes

Jafar_Hussain
L4 Transporter
In response to nikoolayy1

‎04-08-2021 03:49 AM

@nikoolayy1 

 

Nope, our server team is checking.

0 Likes Likes

HolgerKrause
L1 Bithead

‎07-21-2021 06:01 AM

Have you found a solution? We are facing the same issue here.

 

We decrypt all traffic. The response page works fine for http but for websites with ssl the browser identifies an unsecure connection although we have a valid certificate installed. I tried already all the ideas mentioned before, but it is still not working.

The browser shows redirection issues. For ebay.de the response page starts with: 'https://2.18.234.244:6081/php/urladmin.php?args=AAAAaQAAABBAJiCETo.....' .

0 Likes Likes
  • 10323 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks