Palo Alto Networks Knowledgebase: URL Block Page (Response Page) Appears When Custom URL is Used
URL Block Page (Response Page) Appears When Custom URL is Used
Created On 02/07/19 23:46 PM - Last Updated 02/07/19 23:46 PM
Zone and DoS Protection
If a custom URL is used in any of the policy, and traffic does not match the custom URL policy, it hits any deny rule. The user will receive a URL Block Page (Response Page), even though the deny rule has no URL filtering profile. The Palo Alto Networks firewall generates only the traffic log with no URL filtering log. There are no URL filtering logs with the URL Block Page, while using the custom URL.
The traffic appears as normal traffic logs. For the screenshot example below, see the following rule functions:
The first rule allows DNS Traffic
The second rule allows custom URL "google-custom-url", which contains *.google.com. It is used to match any site which has google.com in it.
The third rule is simple, deny any without URL filtering profile.
If a user tries to access facebook.com, which does not meet the first rule, it does not match the second rule, which allows sites containing the google.com word in the URL. Now it matches the third rule, deny any rule. The user is prompted the block page, even though the deny rule is not configured with any URL filtering profile.