Why can't the firewall present a Response Page on Non-Decrypted SSL Web sites?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Why can't the firewall present a Response Page on Non-Decrypted SSL Web sites?

L4 Transporter

I'm trying to understand why users can't get a URL Filtering Response Page when they go to SSL-based Web Sites that are not being decrypted by the firewall.

Thanks,

Jeff

1 accepted solution

Accepted Solutions

I replied in #1 : a block/error message requires the original page to be replaced by error page and doing that cannot be done without decrypting since the original page is inside the encrypted connection.

View solution in original post

8 REPLIES 8

L4 Transporter

it's the purpose of SSL (encrypted) webpages : no one can mess with the content of your website unless he can do a Man in the Middle to decrypt and listen, even change the content. In order to make a nice error message to user any product in the market needs to replace original content of the webpage with that error message and it's only doable if decryption is done.

when we can't decrypt then we drop traffic.

L7 Applicator

URL filtering is done after the session is setup when the http request is made.  By this point the session is encrypted including the payload of the url text.  So we require decryption in order to read the URL and check the category and apply rules.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi Steven,

Thank you very much for your answer.  I understand why we must SSL Decrypt to be able to see the actual HTTP Get Request.  What I don't understand is why the firewall doesn't display a URL Response Page for URL Categories that have an action of either Block, Continue or Override for sites that are SSL but not decrypted by the firewall.  What does the firewall do (technically) when it is presented a site that is block, continue or override by the URL Filtering Profile in order for it to present a Response Page?

Thanks,

Jeff

I already looked at that thread and if you read it closely and implement it, the firewall is actually decrypting the HTTPS sessions. The title is very misleading.

If you are using Firefox and see message "(Error code: ssl_error_rx_record_too_long) ", then it means firewall has sent the response page however the browser expected the SSL\TLS handshake.

You can take a packet capture on client machine to see what's happening.

I replied in #1 : a block/error message requires the original page to be replaced by error page and doing that cannot be done without decrypting since the original page is inside the encrypted connection.

Got it!  Thank you very much!

  • 1 accepted solution
  • 6597 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!