This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

No Block Page when accessing Blocked Categories over HTTPS

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

No Block Page when accessing Blocked Categories over HTTPS

Bocsa
L3 Networker

‎04-28-2017 08:30 AM

Hi there,

I have recently noticed that when I test access to URLs of blocked categories over HTTPS, I do not get a 'Blocked Page' display from the Palo. It just says the Page Cannot be Displayed and show the connection was reset.

 

The URL filtering log correctly show as 'Block-URL' for the action. I just do not get a 'Block Page'. 

SSL decrypt is not configured.

 

How can I get a block page for blocked categories over HTTPS, without SSL Decrypt.

 

Your assistance is appreciated

0 Likes Likes
6 REPLIES 6

ChrisRussell
L2 Linker

‎05-03-2017 02:18 PM

If the sites cert isn't supported by the TSL, thats happening before the request can be blocked. Test if you get it with a site that has a supported cert, but is set to be blocked. 

****************************************************
ACE 7.0, PCNSE7
0 Likes Likes

P.Braat
L1 Bithead

‎05-04-2017 12:25 AM - edited ‎05-07-2017 11:50 PM

hi,

 

The problem you are having is based on the fact that the only FW can in normal cercomstances can not highjack the ssl session because it does not have the root cert of the destination. therefore it can only work if you do a man in the middle (or ssl inspection as it is called in the firewall). this will terminate the session of the client on the firewall witch in turn wil present it's own cert, this cert wil be signed by the firewall itself unless you have taken precautions and installed a trusted public ca. In this case it presents it's a cert signed by itself, which is not trusted by the client, thats why you're getting a site not trusted.

 

Hope this kind of explains the problem.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks