Palo Alto Networks Knowledgebase: URL Filtering Response Pages Not Loading Properly

URL Filtering Response Pages Not Loading Properly

5356
Created On 02/07/19 23:47 PM - Last Updated 02/07/19 23:47 PM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

Issue

When using URL Filtering with Response Pages, if attempting to load a URL that contains page elements from another URL category, the response page does not load or content embedded content within the page fails to load completely.

 

Example 1:

  • A response page is configured (Continue , Override or Block) for the Spam category.
  • When browsing to a site in the Auctions category which includes various page content from the Spam category, the response page does not display and some parts of the web page are not loaded correctly.

 

To identify if this is related to a web page display problem, create a temporary URL filtering policy to disable the response pages and verify if the page loads correctly.

 

Example 2:

Another option to isolate issues with embedded content failing to load would be to install a 3rd party debugging utility such as Firebug or or HttpWatch where you can view status of each individual GET request to see which content is timing out/failing to load.

Example below has a URL Profile (Continue , Override or Block) configured strictly for  'content-delivery-networks'.

 

Using Firebug as an example, launch the console, access the page in question, then sift through the Net console & search for message '302 Moved' ('Failed to load the given URL').

amazon.JPG

Right-clicking on the image(s) that are failing to load & selecting 'View Image Info' will highlight the specific URL which was failing (which is also referenced in the Net console as previously mentioned).

Reference the Domain field (in this case 'd2o307dm5mqftz.cloudfront.net') & use the test command via CLI to determine the categorization of the blocked site:

amazon2.JPG

You can also view 'live' session status of discarded sessions via CLI as follows:

amazon3.JPG

Notice that Session State = Discard & URL category is categorized as 'content-delivery-networks' which in this example was in fact blocked/defined via the URL Filtering profile configured for this test.

Discarded sessions will also be logged via the Monitor Tab->Logs->URL Filtering. Example below sourcing IP of client which shows URL's blocked (referencing .jpg images which were not being displayed) along with Action 'block-continue'.

amazon4.JPG

 

Resolution

This is expected behavior of the product as embedded content will not have the capability to prompt for a continue or override option. Additionally, the main site being accessed could be categorized by a site being permitted by the URL Filtering profile,

bypassing Response Pages all together.

 

owner: ppolizzi



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt2CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language