missing block-url response page

Showing results for 
Show  only  | Search instead for 
Did you mean: 

missing block-url response page

L2 Linker

Hi all,

I have a very common security rule permitting all traffic in for 80, 8080 and 443 ports, no matter the application

The attached URL security profile denies all url categories except for one (custom).

Now I've noticed not to be able to get the expected block page each time a try to access a web site, specifically I can obtain the response page only when the detected application is "web-browsing" but not, i.e, when it's ssl, facebook, gmail etc.

So when I go to:





I get the block page.

While when i try with:




I just get the browser error page but NO block page.

This is the TRAFFIC log

while this is the URL log

as you can see there's no match for anything else than port 80.

So I've tried to setup an ssl decryption policy

tha shoulfd catch anything for that source ip address, but nothing changes, I keep on getting a block page only when traffic is web-browsing but as you might understand is quite boring for users, whose resulting experience having the page not showing but without knowing the reason....

Is this the expected behaviour?




Accepted Solutions

Update: just retried with another platform 5.0.5 and got it working enabling ssl-decrypt url-proxy yes

View solution in original post


L5 Sessionator


Know that in some version, there is a bug wich not allow to send reponse page if tarffic is https.

What is your version ?

Try to upgrade to last one either 5.0.5 or 4.1.12


L2 Linker

I forgot, my PANOS version is 5.0.4.

Don't know if this bug could somehow be related:


When denying a web session with a response page, the firewall did not perform a

proper close for the TCP connection, causing the client to remain half open.

but theoretically it should have been solved starting with 5.0.4...

I replicated this with 5.0.4

When we don't use ssl decryption no page comes.(web page cannot be displayed)

When we use ssl decryption we see block page.

L5 Sessionator

By default, you can't display block response page with HTTPS websites.

There are two ways to show it.

One is to use ssl-decryption rule, another is to enable url-proxy.

For url-proxy in detail, please refer to How to Configure the Palo Alto Networks Device to Serve a URL Response page Over an HTTPS Session wi...

On my PA-200 with 5.0.5 works fine by url-proxy and no decryption rules.


Hi emr,

I had tried before with ssl-decryption (see my previous post) and right now with the method according to your link, I found it very useful and in my opinion that should be the default behaviour, I wonder why it's not.

Unfortunately In both cases I cannot get any block page...

Update: just retried with another platform 5.0.5 and got it working enabling ssl-decrypt url-proxy yes

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!