I have recently noticed that when I test access to URLs of blocked categories over HTTPS, I do not get a 'Blocked Page' display from the Palo. It just says the Page Cannot be Displayed and show the connection was reset.
The URL filtering log correctly show as 'Block-URL' for the action. I just do not get a 'Block Page'.
SSL decrypt is not configured.
How can I get a block page for blocked categories over HTTPS, without SSL Decrypt.
Your assistance is appreciated
I had tried this earlier. It doesn't solve the problem. In my case all it did was give me a message saying 'The Connection to the Site is Not Trusted' (ie the standard message you get when accessing an SSL site without a Trusted Certificate.
I still do not get a 'Block Page'
The security warning could have been a few things:
1) The Forward Trust certificate wan't trusted by the client, this cert actually needs to be imported and trusted by the clients.
2) The site you were attempting to visit wasn't a trusted certificate, so it served the Forward Untrust cert.
You also need to enable the ability to inject the response pages within an HTTPS session which could also be the issue. Are you sure that you ran the 'set deviceconfig settting ssl-decrypt url-proxy yes' command, without this setting then the device won't inject the response pages.
''You also need to enable the ability to inject the response pages within an HTTPS session which could also be the issue''.....I'm not sure of what you mean by enable to ability to inject the response pages here.
Yes, I have put in the command 'set deviceconfig settting ssl-decrypt url-proxy yes'
If the sites cert isn't supported by the TSL, thats happening before the request can be blocked. Test if you get it with a site that has a supported cert, but is set to be blocked.
The problem you are having is based on the fact that the only FW can in normal cercomstances can not highjack the ssl session because it does not have the root cert of the destination. therefore it can only work if you do a man in the middle (or ssl inspection as it is called in the firewall). this will terminate the session of the client on the firewall witch in turn wil present it's own cert, this cert wil be signed by the firewall itself unless you have taken precautions and installed a trusted public ca. In this case it presents it's a cert signed by itself, which is not trusted by the client, thats why you're getting a site not trusted.
Hope this kind of explains the problem.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!