Palo Alto Networks Knowledgebase: No Malware Block Page When Using SSL Decryption

No Malware Block Page When Using SSL Decryption

1769
Created On 08/05/19 19:57 PM - Last Updated 08/05/19 20:11 PM
Threat Intelligence Threat Prevention
Resolution

Symptom

When using SSL decryption policy to block malware, the block page does not always display.

Cause

When requesting a web page, browsers tend to allow any response with a header similar to this:

Accept: text/html, image/png, */*;q=0.1\r\n

The */* indicates any response will be accepted.

When requesting a specific object (.zip, .txt, etc.) the client browser may only allow that type of response, limiting what the browser will display. If requesting a .txt file, you may only see:

Accept: text/text\r\n

When the firewall displays a response page indicating that the request is blocked due to a virus, it displays it as an html page. The mime-type is text/html. This can mean that if the browser is only allowing text/text, the page will not be displayed.

During an SSL communication, the client browser may close the request rather than display an error that the mime-type did not match what was requested. This results in the browser just "spinning", not displaying any page until an error is presented after a timeout.

owner: gwesson



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZJCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language