01-19-2021 12:00 AM
Hi There,
I have configured a security policy to block a URL category using the Service/URL Category method and my action is deny.
This works and the category is denied, however the block response page is not displayed. Instead i get "This site can’t be reached" and "ERR_CONNECTION_RESET".
When i block the same category using the URL Filtering Security Profile, the block response page is displayed.
This behavior is the same for both encrypted and unencryted pages and also on PAN OS 9.1.7 as well as on 10.0.2.
Any idea if this is normal behavior or if this is something that i can fix?
Thanks in advance 🙂
Response Page not displayed when using security policy to deny URL category
03-28-2021 11:31 PM
Can you confirm that you are matching the correct policy that just blocks with the the category, also I think before this rule there should be rules that identify the the app id as web-blowsing or ssl, so check the traffic that the app-id is identified correctly.
Please see:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
Can you provide a screenshot of the rule as maybe it also has App ID in the rule and maybe you need "Application Block Page" as this triggered first etc.?
03-29-2021 04:39 PM
Assuming that you are attempting to block an HTTPS site, and that you aren't decrypting said traffic which would cause the issue you are describing, this behavior is expected. You would need to following https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFKCA0 to get this functioning. By default, the firewall won't attempt to serve a response page if you aren't decrypting the traffic because it would just lead to a certificate warning.
10-25-2022 02:29 AM
Hi all
I face the exact same Issue.
I have enabled response pages and tried it with an url category profile using: http://urlfiltering.paloaltonetworks.com/test-malware.
This worked perfectly fine.
However: I went on, removed the url profile and added the Service/URL Category "malware", set the rule to deny and I'm presented with a browser message telling me the network connection was interrupted. (no response page)
So either this is by design / technical limitation or it's a bug.
PA-220, 10.2.2
find my rule below
11-03-2022 12:51 PM
I am seeing the same behavior. PA-3250 10.2.3
11-03-2022 01:56 PM - edited 11-03-2022 01:56 PM
To me it would seem to be operating as designed and expected behavior.
With a Security Policy you select targets by some combination of IP, zone, user, service, and/or URL(SNI); and running a deny action you are sending a TCP or UDP reset to the endpoint. It doesn't matter or necessarily operate on HTTP/HTTPS. Therefore the browser just gets a connection closed message, no actual content response.
With URL Filtering you are filtering content inside the HTTP/HTTPS connection. So when a block happens you are interrupting the content stream and can return a different content page, vs. just terminating the network connection.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
