Details
This document describes how to configure the Palo Alto Networks device to serve a URL response page over an HTTPS session without SSL decryption.
Requirements
- If using dynamic URL filtering with BrightCloud, be sure to enable dynamic URL filtering on all URL filtering profiles as well as dynamic URL filtering globally. From the configure mode on the CLI of the device, enter the command listed below. If PAN-DB URL filtering is used, skip this step and proceed for the next step as the command will work only if the firewall is licensed for BrightCloud URL Filtering and not for PAN-DB URL filtering.
# set deviceconfig setting url dynamic-url yes ---> This command is not avaiable from 10.1 onward
- To enable the Palo Alto Networks device's ability to inject URL filtering response pages within an HTTPS session with the following configuration command. This command works with either BrightCloud or PAN-DB URL filter:
# set deviceconfig setting ssl-decrypt url-proxy yes
Note: Both the commands above are only available through the CLI.
Note: For the block page to be shown the HTTP GET request should come to the firewall
In the case of HTTPS, the SSL handshake should get completed and HTTP GET come to the firewall and the firewall will respond with a block page.
If we take the packet capture we will probably be able to see the RST from the upstream device or any other issue related to the SSL handshake.
for example, If you are getting the below error messages please check if there is any upstream device that could be blocking the site for https.
For the same site if we try in HTTP it will show the block page.
We can verify from the browser in the developer tool for HTTPs.
For HTTP
.
If the configuration is correct we should be seeing this page below.
Successful completion of the setup allows the firewall to serve a URL filtering response to client machines within an HTTPS session triggered by the URL Filtering policy.
Caveats with Continue and Override
Today's websites server content comes from many sources. If serving a URL Response Page for an action of type Continue or Override, it is possible that some content on the page may not be rendered properly. This will happen if the content is coming from a site that is in a category for which the action is set to Block, Continue or Override. The firewall will not present the Continue and Override page for each embedded link.
Note: After you replace the certificate to renew the expiration date, restart Dataplane or the device. It removes the expired certificate cache in the Dataplane.