Why can't the firewall present a Response Page on Non-Decrypted SSL Web sites?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

Why can't the firewall present a Response Page on Non-Decrypted SSL Web sites?

I'm trying to understand why users can't get a URL Filtering Response Page when they go to SSL-based Web Sites that are not being decrypted by the firewall.

Thanks,

Jeff


Accepted Solutions
Highlighted
L4 Transporter

I replied in #1 : a block/error message requires the original page to be replaced by error page and doing that cannot be done without decrypting since the original page is inside the encrypted connection.

View solution in original post


All Replies
Highlighted
L4 Transporter

it's the purpose of SSL (encrypted) webpages : no one can mess with the content of your website unless he can do a Man in the Middle to decrypt and listen, even change the content. In order to make a nice error message to user any product in the market needs to replace original content of the webpage with that error message and it's only doable if decryption is done.

when we can't decrypt then we drop traffic.

Highlighted
L7 Applicator

URL filtering is done after the session is setup when the http request is made.  By this point the session is encrypted including the payload of the url text.  So we require decryption in order to read the URL and check the category and apply rules.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L4 Transporter

Hi Steven,

Thank you very much for your answer.  I understand why we must SSL Decrypt to be able to see the actual HTTP Get Request.  What I don't understand is why the firewall doesn't display a URL Response Page for URL Categories that have an action of either Block, Continue or Override for sites that are SSL but not decrypted by the firewall.  What does the firewall do (technically) when it is presented a site that is block, continue or override by the URL Filtering Profile in order for it to present a Response Page?

Thanks,

Jeff

Highlighted
L2 Linker

Highlighted
L4 Transporter

I already looked at that thread and if you read it closely and implement it, the firewall is actually decrypting the HTTPS sessions. The title is very misleading.

Highlighted
L2 Linker

If you are using Firefox and see message "(Error code: ssl_error_rx_record_too_long) ", then it means firewall has sent the response page however the browser expected the SSL\TLS handshake.

You can take a packet capture on client machine to see what's happening.

Highlighted
L4 Transporter

I replied in #1 : a block/error message requires the original page to be replaced by error page and doing that cannot be done without decrypting since the original page is inside the encrypted connection.

View solution in original post

Highlighted
L4 Transporter

Got it!  Thank you very much!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!