I have a very common security rule permitting all traffic in for 80, 8080 and 443 ports, no matter the application
The attached URL security profile denies all url categories except for one (custom).
Now I've noticed not to be able to get the expected block page each time a try to access a web site, specifically I can obtain the response page only when the detected application is "web-browsing" but not, i.e, when it's ssl, facebook, gmail etc.
So when I go to:
I get the block page.
While when i try with:
I just get the browser error page but NO block page.
This is the TRAFFIC log
while this is the URL log
as you can see there's no match for anything else than port 80.
So I've tried to setup an ssl decryption policy
tha shoulfd catch anything for that source ip address, but nothing changes, I keep on getting a block page only when traffic is web-browsing but as you might understand is quite boring for users, whose resulting experience having the page not showing but without knowing the reason....
Is this the expected behaviour?
Solved! Go to Solution.
I forgot, my PANOS version is 5.0.4.
Don't know if this bug could somehow be related:
When denying a web session with a response page, the firewall did not perform a
proper close for the TCP connection, causing the client to remain half open.
but theoretically it should have been solved starting with 5.0.4...
By default, you can't display block response page with HTTPS websites.
There are two ways to show it.
One is to use ssl-decryption rule, another is to enable url-proxy.
For url-proxy in detail, please refer to How to Configure the Palo Alto Networks Device to Serve a URL Response page Over an HTTPS Session wi...
On my PA-200 with 5.0.5 works fine by url-proxy and no decryption rules.
I had tried before with ssl-decryption (see my previous post) and right now with the method according to your link, I found it very useful and in my opinion that should be the default behaviour, I wonder why it's not.
Unfortunately In both cases I cannot get any block page...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!