This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

missing block-url response page

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

missing block-url response page

Go to solution
errevisystem
L2 Linker

‎06-03-2013 08:28 AM

Hi all,

I have a very common security rule permitting all traffic in for 80, 8080 and 443 ports, no matter the application

The attached URL security profile denies all url categories except for one (custom).

Now I've noticed not to be able to get the expected block page each time a try to access a web site, specifically I can obtain the response page only when the detected application is "web-browsing" but not, i.e, when it's ssl, facebook, gmail etc.

So when I go to:

gmail.com

www.microsoft.com

facebook.com

etc

I get the block page.

While when i try with:

https://facebook.com

https://gmail.com

https://kb.bluecoat.com

I just get the browser error page but NO block page.

This is the TRAFFIC log

while this is the URL log

as you can see there's no match for anything else than port 80.

So I've tried to setup an ssl decryption policy

tha shoulfd catch anything for that source ip address, but nothing changes, I keep on getting a block page only when traffic is web-browsing but as you might understand is quite boring for users, whose resulting experience having the page not showing but without knowing the reason....

Is this the expected behaviour?

thanks

Manuel

Labels:
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
errevisystem
L2 Linker
In response to errevisystem

‎06-05-2013 09:22 AM

Update: just retried with another platform 5.0.5 and got it working enabling ssl-decrypt url-proxy yes

View solution in original post

1 person found this solution to be helpful.
0 Likes Likes
6 REPLIES 6

Go to solution
VinceM
L5 Sessionator

‎06-03-2013 08:33 AM

Hi,

Know that in some version, there is a bug wich not allow to send reponse page if tarffic is https.

What is your version ?

Try to upgrade to last one either 5.0.5 or 4.1.12

V.

0 Likes Likes

Go to solution
errevisystem
L2 Linker

‎06-03-2013 08:34 AM

I forgot, my PANOS version is 5.0.4.

Don't know if this bug could somehow be related:

46649

When denying a web session with a response page, the firewall did not perform a

proper close for the TCP connection, causing the client to remain half open.

but theoretically it should have been solved starting with 5.0.4...

0 Likes Likes

Go to solution
panos
L6 Presenter
In response to errevisystem

‎06-03-2013 10:16 AM

I replicated this with 5.0.4

When we don't use ssl decryption no page comes.(web page cannot be displayed)

When we use ssl decryption we see block page.

0 Likes Likes

Go to solution
emr_1
L5 Sessionator

‎06-05-2013 06:07 AM

By default, you can't display block response page with HTTPS websites.

There are two ways to show it.

One is to use ssl-decryption rule, another is to enable url-proxy.

For url-proxy in detail, please refer to How to Configure the Palo Alto Networks Device to Serve a URL Response page Over an HTTPS Session wi...

On my PA-200 with 5.0.5 works fine by url-proxy and no decryption rules.

Regards,

0 Likes Likes

Go to solution
errevisystem
L2 Linker
In response to emr_1

‎06-05-2013 08:53 AM

Hi emr,

I had tried before with ssl-decryption (see my previous post) and right now with the method according to your link, I found it very useful and in my opinion that should be the default behaviour, I wonder why it's not.

Unfortunately In both cases I cannot get any block page...

0 Likes Likes

Go to solution
errevisystem
L2 Linker
In response to errevisystem

‎06-05-2013 09:22 AM

Update: just retried with another platform 5.0.5 and got it working enabling ssl-decrypt url-proxy yes

1 person found this solution to be helpful.
0 Likes Likes
  • 1 accepted solution
  • 7071 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks