No Block Page when accessing Blocked Categories over HTTPS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

No Block Page when accessing Blocked Categories over HTTPS

L3 Networker

Hi there,

I have recently noticed that when I test access to URLs of blocked categories over HTTPS, I do not get a 'Blocked Page' display from the Palo. It just says the Page Cannot be Displayed and show the connection was reset.

 

The URL filtering log correctly show as 'Block-URL' for the action. I just do not get a 'Block Page'. 

SSL decrypt is not configured.

 

How can I get a block page for blocked categories over HTTPS, without SSL Decrypt.

 

Your assistance is appreciated

6 REPLIES 6

Community Team Member

Hi @Bocsa,

 

Are you looking for this ?

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Serve-a-URL-Response-Page-Over-an...

 

Hope it helps.

-Kiwi

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi,

I had tried this earlier. It doesn't solve the problem. In my case all it did was give me a message saying 'The Connection to the Site is Not Trusted' (ie the standard message you get when accessing an SSL site without a Trusted Certificate.

 

I still do not get a 'Block Page'

@Bocsa,

The security warning could have been a few things:

1) The Forward Trust certificate wan't trusted by the client, this cert actually needs to be imported and trusted by the clients.

2) The site you were attempting to visit wasn't a trusted certificate, so it served the Forward Untrust cert.

 

You also need to enable the ability to inject the response pages within an HTTPS session which could also be the issue. Are you sure that you ran the 'set deviceconfig settting ssl-decrypt url-proxy yes'  command, without this setting then the device won't inject the response pages.

''You also need to enable the ability to inject the response pages within an HTTPS session which could also be the issue''.....I'm not sure of what you mean by enable to ability to inject the response pages here.

 

Yes, I have put in the command 'set deviceconfig settting ssl-decrypt url-proxy yes'

L2 Linker

If the sites cert isn't supported by the TSL, thats happening before the request can be blocked. Test if you get it with a site that has a supported cert, but is set to be blocked. 

****************************************************
ACE 7.0, PCNSE7

L1 Bithead

hi,

 

The problem you are having is based on the fact that the only FW can in normal cercomstances can not highjack the ssl session because it does not have the root cert of the destination. therefore it can only work if you do a man in the middle (or ssl inspection as it is called in the firewall). this will terminate the session of the client on the firewall witch in turn wil present it's own cert, this cert wil be signed by the firewall itself unless you have taken precautions and installed a trusted public ca. In this case it presents it's a cert signed by itself, which is not trusted by the client, thats why you're getting a site not trusted.

 

Hope this kind of explains the problem.

  • 5548 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!