04-28-2017 08:30 AM
I have recently noticed that when I test access to URLs of blocked categories over HTTPS, I do not get a 'Blocked Page' display from the Palo. It just says the Page Cannot be Displayed and show the connection was reset.
The URL filtering log correctly show as 'Block-URL' for the action. I just do not get a 'Block Page'.
SSL decrypt is not configured.
How can I get a block page for blocked categories over HTTPS, without SSL Decrypt.
Your assistance is appreciated
05-03-2017 02:18 PM
05-04-2017 12:25 AM - edited 05-07-2017 11:50 PM
The problem you are having is based on the fact that the only FW can in normal cercomstances can not highjack the ssl session because it does not have the root cert of the destination. therefore it can only work if you do a man in the middle (or ssl inspection as it is called in the firewall). this will terminate the session of the client on the firewall witch in turn wil present it's own cert, this cert wil be signed by the firewall itself unless you have taken precautions and installed a trusted public ca. In this case it presents it's a cert signed by itself, which is not trusted by the client, thats why you're getting a site not trusted.
Hope this kind of explains the problem.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!